* Removed upstream `name: pqcrystals-dilithium` and signature `name: dilithium` from `copy_from_upstream.yml`.
Removed everything under `src/sig/dilithium`
Re-run `copy_from_upstream.py -d copy`, which produced downstream changes to various build files.
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* remove Dilithium entries from kats.json
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* remove Dilithium entries from constant_time tests
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* Removed dilithium.yml and dilithium.md. Re-run copy_from_upstream.py, which also updated README.md and cbom.json
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* Removed Dilithium from FUZZING.md
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* removed license information about pqclean Dilithium and pqcrystals-dilithium from README.md. README.md still mentions Dilithium but only to say that it has been excluded
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* Upgraded CONFIGURE.md minimal build example to ML-KEM-768 and ML-DSA-44
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* Upgraded C++ sig linking test to ML-DSA-44; also added option to make the test fail hard if the algorithm is not enabled
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* remove Dilithium from GitHub action workflows
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* removed Dilithium from zephyr configuration and examples
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* Removed scripts/copy_from_upstream/patches/pqclean-dilithium-arm-randomized-signing.patch
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* Removed dilithium from upstream.name==pqclean.ignore
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
* Removed orphaned patches
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
---------
Signed-off-by: Ganyu (Bruce) Xu <g66xu@uwaterloo.ca>
cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_768 "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
cmake_dependent_option(OQS_ENABLE_KEM_ml_kem_1024 "" ON "OQS_ENABLE_KEM_ML_KEM" OFF)
-option(OQS_ENABLE_SIG_DILITHIUM "Enable dilithium algorithm family" ON)
-cmake_dependent_option(OQS_ENABLE_SIG_dilithium_2 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
-cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5 "" ON "OQS_ENABLE_SIG_DILITHIUM" OFF)
-
option(OQS_ENABLE_SIG_ML_DSA "Enable ml_dsa algorithm family" ON)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_65 "" ON "OQS_ENABLE_SIG_ML_DSA" OFF)
endif()
-if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
-if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_2_avx2 "" ON "OQS_ENABLE_SIG_dilithium_2" OFF)
-endif()
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_2_aarch64 "" ON "OQS_ENABLE_SIG_dilithium_2" OFF)
-endif()
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
-if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3_avx2 "" ON "OQS_ENABLE_SIG_dilithium_3" OFF)
-endif()
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_3_aarch64 "" ON "OQS_ENABLE_SIG_dilithium_3" OFF)
-endif()
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
-if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5_avx2 "" ON "OQS_ENABLE_SIG_dilithium_5" OFF)
-endif()
-endif()
-
-if(CMAKE_SYSTEM_NAME MATCHES "Linux|Darwin")
-if(OQS_DIST_ARM64_V8_BUILD OR (OQS_USE_ARM_NEON_INSTRUCTIONS AND OQS_USE_ARM_NEON_INSTRUCTIONS))
- cmake_dependent_option(OQS_ENABLE_SIG_dilithium_5_aarch64 "" ON "OQS_ENABLE_SIG_dilithium_5" OFF)
-endif()
-endif()
-
-
if(CMAKE_SYSTEM_NAME MATCHES "Darwin|Linux")
if(OQS_DIST_X86_64_BUILD OR (OQS_USE_AVX2_INSTRUCTIONS AND OQS_USE_POPCNT_INSTRUCTIONS))
cmake_dependent_option(OQS_ENABLE_SIG_ml_dsa_44_avx2 "" ON "OQS_ENABLE_SIG_ml_dsa_44" OFF)
/src/kem/ml_kem @bhess
/src/kem/ntru @saitomst
/src/sig/cross @alexrow
-/src/sig/dilithium @bhess
/src/sig/mayo @bhess
/src/sig/ml_dsa @bhess
/src/sig_stfl/lms @ashman-p
runs-on: ubuntu-latest
container: openquantumsafe/ci-ubuntu-latest:latest
env:
- SIG_NAME: dilithium_2
+ SIG_NAME: ml_dsa_44
steps:
- name: Create random build folder
run: tmp_build=$(mktemp -d) && echo "RANDOM_BUILD_DIR=$tmp_build" >> $GITHUB_ENV
runs-on: ubuntu-latest
container: openquantumsafe/ci-ubuntu-latest:latest
env:
- SIG_NAME: dilithium_2
+ SIG_NAME: ml_dsa_44
CC: clang
CXX: clang++
CFLAGS: -fsanitize=fuzzer-no-link,address
runner: ubuntu-latest
container: openquantumsafe/ci-ubuntu-latest:latest
CMAKE_ARGS: -DOQS_STRICT_WARNINGS=ON -DCMAKE_C_COMPILER=clang
- PYTEST_ARGS: --ignore=tests/test_kat_all.py -k 'not (leaks and (Dilithium or ML-DSA))'
+ PYTEST_ARGS: --ignore=tests/test_kat_all.py -k 'not (leaks and ML-DSA)'
- name: jammy-std-openssl3
runner: ubuntu-latest
container: openquantumsafe/ci-ubuntu-jammy:latest
strategy:
matrix:
algorithm: [ # List of available signatures to perform the benchmarking on
- "Dilithium2",
- "Dilithium3",
- "Dilithium5",
"ML-DSA-44",
"ML-DSA-65",
"ML-DSA-87",
if(OQS_ENABLE_KEM_ML_KEM)
set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/kem/ml_kem/kem_ml_kem.h)
endif()
-if(OQS_ENABLE_SIG_DILITHIUM)
- set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/dilithium/sig_dilithium.h)
-endif()
if(OQS_ENABLE_SIG_ML_DSA)
set(PUBLIC_HEADERS ${PUBLIC_HEADERS} ${PROJECT_SOURCE_DIR}/src/sig/ml_dsa/sig_ml_dsa.h)
endif()
## OQS_MINIMAL_BUILD
-If set, this defines a semicolon-delimited list of algorithms to be contained in a minimal build of `liboqs`: Only algorithms explicitly set here are included in a build: For example running `cmake -DOQS_MINIMAL_BUILD="KEM_kyber_768;SIG_dilithium_3" ..` will build a minimum-size `liboqs` library only containing support for Kyber768 and Dilithium3.
+If set, this defines a semicolon-delimited list of algorithms to be contained in a minimal build of `liboqs`: Only algorithms explicitly set here are included in a build: For example running `cmake -DOQS_MINIMAL_BUILD="KEM_ml_kem_768;SIG_ml_dsa_44" ..` will build a minimum-size `liboqs` library only containing support for ML-KEM-768 and ML-DSA-44.
The full list of identifiers that can be set is listed [here for KEM algorithms](https://github.com/open-quantum-safe/liboqs/blob/main/src/kem/kem.h#L34) and [here for Signature algorithms](https://github.com/open-quantum-safe/liboqs/blob/f3caccff9e6225e7c50ca27f5ee6e58b7bc74188/src/sig/sig.h#L34). The default setting is empty, thus including all [supported algorithms](https://github.com/open-quantum-safe/liboqs#supported-algorithms) in the build.
<!--- OQS_TEMPLATE_FRAGMENT_LIST_SIGS_START -->
- **CROSS**: cross-rsdp-128-balanced, cross-rsdp-128-fast, cross-rsdp-128-small†, cross-rsdp-192-balanced, cross-rsdp-192-fast, cross-rsdp-192-small†, cross-rsdp-256-balanced†, cross-rsdp-256-fast, cross-rsdp-256-small†, cross-rsdpg-128-balanced, cross-rsdpg-128-fast, cross-rsdpg-128-small, cross-rsdpg-192-balanced, cross-rsdpg-192-fast, cross-rsdpg-192-small†, cross-rsdpg-256-balanced, cross-rsdpg-256-fast, cross-rsdpg-256-smallâ€
-- **CRYSTALS-Dilithium**: Dilithium2, Dilithium3, Dilithium5
- **Falcon**: Falcon-512, Falcon-1024, Falcon-padded-512, Falcon-padded-1024
- **MAYO**: MAYO-1, MAYO-2, MAYO-3, MAYO-5â€
- **ML-DSA**: ML-DSA-44, ML-DSA-65, ML-DSA-87
- `src/kem/kyber/libjade_*` public domain (CC0) or Apache License v2.
- `src/kem/ml_kem/mlkem-native_*`: MIT or Apache License v2.0 or ISC License
- `src/kem/ntru/pqclean_*`: public domain (CC0)
-- `src/sig/dilithium/pqcrystals-*`: public domain (CC0) or Apache License v2.0
-- `src/sig/dilithium/pqclean_*`: public domain (CC0), and public domain (CC0) or Apache License v2.0, and public domain (CC0) or MIT, and MIT
- src/sig/falcon/pqclean_\*\_aarch64 : Apache License v2.0
- `src/sig/mayo/*`: Apache License v2.0
- `src/sig/ml_dsa/pqcrystals-*`: public domain (CC0) or Apache License v2.0
* example_sig.cpp
*
* Minimal C++ example of using a post-quantum signature implemented in liboqs.
+ * To test linking, compile the program against libcrypto (from OpenSSL) and liboqs
+ *
+ * g++ -g -I${LIBOQS_DIR}/build/include \
+ * -L${LIBOQS_DIR}/build/lib -loqs \
+ * -lcrypto -std=c++11 \
+ * -o ${LIBOQS_DIR}/build/tests/example_sig \
+ * ${LIBOQS_DIR}/cpp/sig_linking_test.cpp \
+ * && ${LIBOQS_DIR}/build/tests/example_sig
+ *
+ * `-lcrypto` requires libcrypto to be in dynamic linker's path.
+ * If installed with Homebrew, it is likely located at:
+ * /opt/homebrew/Cellar/openssl@3/x.y.z/lib
*
* SPDX-License-Identifier: MIT
*/
#include <oqs/oqs.h>
+/* TODO: I am not sure if "algo_xxx" not enabled should make the test succeed */
+#define CPP_LINKING_TEST_FAIL_HARD 0
+
constexpr size_t MESSAGE_LEN = 50;
/* Cleaning up memory etc */
* statically on the stack, calling a specific algorithm's functions
* directly.
*
- * The macros OQS_SIG_dilithium_2_length_* and the functions OQS_SIG_dilithium_2_*
- * are only defined if the algorithm dilithium_2 was enabled at compile-time
- * which must be checked using the OQS_ENABLE_SIG_dilithium_2 macro.
+ * The macros OQS_SIG_ml_dsa_44_length_* and the functions OQS_SIG_ml_dsa_44_*
+ * are only defined if the algorithm ml_dsa_44 was enabled at compile-time
+ * which must be checked using the OQS_ENABLE_SIG_ml_dsa_44 macro.
*
* <oqs/oqsconfig.h>, which is included in <oqs/oqs.h>, contains macros
* indicating which algorithms were enabled when this instance of liboqs
*/
static OQS_STATUS example_stack(void) {
-#ifdef OQS_ENABLE_SIG_dilithium_2
+#ifdef OQS_ENABLE_SIG_ml_dsa_44
OQS_STATUS rc;
- uint8_t public_key[OQS_SIG_dilithium_2_length_public_key];
- uint8_t secret_key[OQS_SIG_dilithium_2_length_secret_key];
+ uint8_t public_key[OQS_SIG_ml_dsa_44_length_public_key];
+ uint8_t secret_key[OQS_SIG_ml_dsa_44_length_secret_key];
uint8_t message[MESSAGE_LEN];
- uint8_t signature[OQS_SIG_dilithium_2_length_signature];
+ uint8_t signature[OQS_SIG_ml_dsa_44_length_signature];
size_t message_len = MESSAGE_LEN;
size_t signature_len;
// let's create a random test message to sign
OQS_randombytes(message, message_len);
- rc = OQS_SIG_dilithium_2_keypair(public_key, secret_key);
+ rc = OQS_SIG_ml_dsa_44_keypair(public_key, secret_key);
if (rc != OQS_SUCCESS) {
- std::cerr << "ERROR: OQS_SIG_dilithium_2_keypair failed!" << std::endl;
- cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+ std::cerr << "ERROR: OQS_SIG_ml_dsa_44_keypair failed!" << std::endl;
+ cleanup_stack(secret_key, OQS_SIG_ml_dsa_44_length_secret_key);
return OQS_ERROR;
}
- rc = OQS_SIG_dilithium_2_sign(signature, &signature_len, message, message_len, secret_key);
+ rc = OQS_SIG_ml_dsa_44_sign(signature, &signature_len, message, message_len, secret_key);
if (rc != OQS_SUCCESS) {
- std::cerr << "ERROR: OQS_SIG_dilithium_2_sign failed!" << std::endl;
- cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+ std::cerr << "ERROR: OQS_SIG_ml_dsa_44_sign failed!" << std::endl;
+ cleanup_stack(secret_key, OQS_SIG_ml_dsa_44_length_secret_key);
return OQS_ERROR;
}
- rc = OQS_SIG_dilithium_2_verify(message, message_len, signature, signature_len, public_key);
+ rc = OQS_SIG_ml_dsa_44_verify(message, message_len, signature, signature_len, public_key);
if (rc != OQS_SUCCESS) {
- std::cerr << "ERROR: OQS_SIG_dilithium_2_verify failed!" << std::endl;
- cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+ std::cerr << "ERROR: OQS_SIG_ml_dsa_44_verify failed!" << std::endl;
+ cleanup_stack(secret_key, OQS_SIG_ml_dsa_44_length_secret_key);
return OQS_ERROR;
}
- std::cout << "[example_stack] OQS_SIG_dilithium_2 operations completed" << std::endl;
- cleanup_stack(secret_key, OQS_SIG_dilithium_2_length_secret_key);
+ std::cout << "[example_stack] OQS_SIG_ml_dsa_44 operations completed" << std::endl;
+ cleanup_stack(secret_key, OQS_SIG_ml_dsa_44_length_secret_key);
return OQS_SUCCESS; // success!
#else
-
- std::cout << "[example_stack] OQS_SIG_dilithium_2 was not enabled at compile-time" << std::endl;
+ std::cout << "[example_stack] OQS_SIG_ml_dsa_44 was not enabled at compile-time" << std::endl;
+#if CPP_LINKING_TEST_FAIL_HARD
+ return OQS_ERROR;
+#else
return OQS_SUCCESS;
-
-#endif
+#endif /* CPP_LINKING_TEST_FAIL_HARD */
+#endif /* OQS_ENABLE_SIG_ml_dsa_44 */
}
/* This function gives an example of the signing operations,
*/
static OQS_STATUS example_heap(void) {
-#ifdef OQS_ENABLE_SIG_dilithium_2
+#ifdef OQS_ENABLE_SIG_ml_dsa_44
size_t message_len = MESSAGE_LEN;
size_t signature_len;
OQS_STATUS rc;
- std::unique_ptr<OQS_SIG, OQSSigDeleter> sig(OQS_SIG_new((OQS_SIG_alg_dilithium_2)));
+ std::unique_ptr<OQS_SIG, OQSSigDeleter> sig(OQS_SIG_new((OQS_SIG_alg_ml_dsa_44)));
if (sig == nullptr) {
- throw std::runtime_error("[example_heap] OQS_SIG_alg_dilithium_2 was not enabled at compile-time.");
+ throw std::runtime_error("[example_heap] OQS_SIG_alg_ml_dsa_44 was not enabled at compile-time.");
}
std::unique_ptr<uint8_t[], OQSInsecureDeleter> public_key(static_cast<uint8_t*>(malloc(sig->length_public_key)));
std::unique_ptr<uint8_t[], OQSSecureDeleter> secret_key(static_cast<uint8_t*>(malloc(sig->length_secret_key)), OQSSecureDeleter(sig->length_secret_key));
throw std::runtime_error("ERROR: OQS_SIG_verify failed!");
}
- std::cout << "[example_heap] OQS_SIG_dilithium_2 operations completed." << std::endl;
+ std::cout << "[example_heap] OQS_SIG_ml_dsa_44 operations completed." << std::endl;
return OQS_SUCCESS; // success
#else
-
- std::cout << "[example_heap] OQS_SIG_dilithium_2 was not enabled at compile-time." << std::endl;
+ std::cout << "[example_stack] OQS_SIG_ml_dsa_44 was not enabled at compile-time" << std::endl;
+#if CPP_LINKING_TEST_FAIL_HARD
+ return OQS_ERROR;
+#else
return OQS_SUCCESS;
-
-#endif
+#endif /* CPP_LINKING_TEST_FAIL_HARD */
+#endif /* OQS_ENABLE_SIG_ml_dsa_44 */
}
int main() {
- [ ] ml_kem
- [ ] ntruprime
- [ ] sig
- - [x] dilithium
- [x] falcon
- [x] mayo
- [x] ml_dsa
```bash
mkdir build && cd build
-cmake -GNinja .. -DOQS_BUILD_FUZZ_TESTS=ON
-ninja -j$(nproc)
+cmake -GNinja -DOQS_BUILD_FUZZ_TESTS=ON ..
+ninja
```
-You'll now be able to run a fuzz test e.g.
-```bash
-./tests/fuzz_test_dilithium2
-#9764 NEW cov: 4 ft: 708 corp: 100/318b lim: 43 exec/s: 9764 rss: 362Mb L: 41/41 MS: 4 EraseBytes-InsertRepeatedBytes-CMP-ChangeBit- DE: "\0004m\372"-
-...
-```
+`OQS_BUILD_FUZZ_TESTS` will build two test binaries: `tests/fuzz_test_sig` and `tests/fuzz_test_kem`.
+
The fuzzer will run indefinitely or;
- until it finds a bug and crashes,
- you manually stop the fuzzer i.e. CTRL-C
+++ /dev/null
-# CRYSTALS-Dilithium
-
-- **Algorithm type**: Digital signature scheme.
-- **Main cryptographic assumption**: hardness of lattice problems over module lattices.
-- **Principal submitters**: Vadim Lyubashevsky.
-- **Auxiliary submitters**: Shi Bai, Léo Ducas, Eike Kiltz, Tancrède Lepoint, Peter Schwabe, Gregor Seiler, Damien Stehlé.
-- **Authors' website**: https://pq-crystals.org/dilithium/
-- **Specification version**: 3.1.
-- **Primary Source**<a name="primary-source"></a>:
- - **Source**: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51 with copy_from_upstream patches
- - **Implementation license (SPDX-Identifier)**: CC0-1.0 or Apache-2.0
-- **Optimized Implementation sources**: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51 with copy_from_upstream patches
- - **oldpqclean-aarch64**:<a name="oldpqclean-aarch64"></a>
- - **Source**: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a with copy_from_upstream patches
- - **Implementation license (SPDX-Identifier)**: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT) and MIT
-
-
-## Parameter set summary
-
-| Parameter set | Parameter set alias | Security model | Claimed NIST Level | Public key size (bytes) | Secret key size (bytes) | Signature size (bytes) |
-|:---------------:|:----------------------|:-----------------|---------------------:|--------------------------:|--------------------------:|-------------------------:|
-| Dilithium2 | NA | SUF-CMA | 2 | 1312 | 2528 | 2420 |
-| Dilithium3 | NA | SUF-CMA | 3 | 1952 | 4000 | 3293 |
-| Dilithium5 | NA | SUF-CMA | 5 | 2592 | 4864 | 4595 |
-
-## Dilithium2 implementation characteristics
-
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage?‡ |
-|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:----------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
-| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
-
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
-
- ‡For an explanation of what this denotes, consult the [Explanation of Terms](#explanation-of-terms) section at the end of this file.
-
-## Dilithium3 implementation characteristics
-
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
-|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
-| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
-
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
-
-## Dilithium5 implementation characteristics
-
-| Implementation source | Identifier in upstream | Supported architecture(s) | Supported operating system(s) | CPU extension(s) used | No branching-on-secrets claimed? | No branching-on-secrets checked by valgrind? | Large stack usage? |
-|:-----------------------------------------:|:-------------------------|:----------------------------|:--------------------------------|:------------------------|:-----------------------------------|:-----------------------------------------------|:---------------------|
-| [Primary Source](#primary-source) | ref | All | All | None | True | True | False |
-| [Primary Source](#primary-source) | avx2 | x86\_64 | Darwin,Linux | AVX2,POPCNT | True | True | False |
-| [oldpqclean-aarch64](#oldpqclean-aarch64) | aarch64 | ARM64\_V8 | Linux,Darwin | None | True | False | False |
-
-Are implementations chosen based on runtime CPU feature detection? **Yes**.
-
-## Explanation of Terms
-
-- **Large Stack Usage**: Implementations identified as having such may cause failures when running in threads or in constrained environments.
\ No newline at end of file
+++ /dev/null
-name: CRYSTALS-Dilithium
-type: signature
-principal-submitters:
-- Vadim Lyubashevsky
-auxiliary-submitters:
-- Shi Bai
-- Léo Ducas
-- Eike Kiltz
-- Tancrède Lepoint
-- Peter Schwabe
-- Gregor Seiler
-- Damien Stehlé
-crypto-assumption: hardness of lattice problems over module lattices
-website: https://pq-crystals.org/dilithium/
-nist-round: 3
-spec-version: 3.1
-primary-upstream:
- source: https://github.com/pq-crystals/dilithium/commit/3e9b9f1412f6c7435dbeb4e10692ea58f181ee51
- with copy_from_upstream patches
- spdx-license-identifier: CC0-1.0 or Apache-2.0
-optimized-upstreams:
- oldpqclean-aarch64:
- source: https://github.com/PQClean/PQClean/commit/8e220a87308154d48fdfac40abbb191ac7fce06a
- with copy_from_upstream patches
- spdx-license-identifier: CC0-1.0 and (CC0-1.0 or Apache-2.0) and (CC0-1.0 or MIT)
- and MIT
-parameter-sets:
-- name: Dilithium2
- oqs_alg: OQS_SIG_alg_dilithium_2
- claimed-nist-level: 2
- claimed-security: SUF-CMA
- length-public-key: 1312
- length-secret-key: 2528
- length-signature: 2420
- implementations-switch-on-runtime-cpu-features: true
- implementations:
- - upstream: primary-upstream
- upstream-id: ref
- supported-platforms: all
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: true
- large-stack-usage: false
- - upstream: primary-upstream
- upstream-id: avx2
- supported-platforms:
- - architecture: x86_64
- operating_systems:
- - Darwin
- - Linux
- required_flags:
- - avx2
- - popcnt
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: true
- large-stack-usage: false
- - upstream: oldpqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
-- name: Dilithium3
- oqs_alg: OQS_SIG_alg_dilithium_3
- claimed-nist-level: 3
- claimed-security: SUF-CMA
- length-public-key: 1952
- length-secret-key: 4000
- length-signature: 3293
- implementations-switch-on-runtime-cpu-features: true
- implementations:
- - upstream: primary-upstream
- upstream-id: ref
- supported-platforms: all
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: true
- large-stack-usage: false
- - upstream: primary-upstream
- upstream-id: avx2
- supported-platforms:
- - architecture: x86_64
- operating_systems:
- - Darwin
- - Linux
- required_flags:
- - avx2
- - popcnt
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: true
- large-stack-usage: false
- - upstream: oldpqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
-- name: Dilithium5
- oqs_alg: OQS_SIG_alg_dilithium_5
- claimed-nist-level: 5
- claimed-security: SUF-CMA
- length-public-key: 2592
- length-secret-key: 4864
- length-signature: 4595
- implementations-switch-on-runtime-cpu-features: true
- implementations:
- - upstream: primary-upstream
- upstream-id: ref
- supported-platforms: all
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: true
- large-stack-usage: false
- - upstream: primary-upstream
- upstream-id: avx2
- supported-platforms:
- - architecture: x86_64
- operating_systems:
- - Darwin
- - Linux
- required_flags:
- - avx2
- - popcnt
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: true
- large-stack-usage: false
- - upstream: oldpqclean-aarch64
- upstream-id: aarch64
- supported-platforms:
- - architecture: ARM64_V8
- operating_systems:
- - Linux
- - Darwin
- common-crypto:
- - SHA3: liboqs
- no-secret-dependent-branching-claimed: true
- no-secret-dependent-branching-checked-by-valgrind: false
- large-stack-usage: false
"$schema": "https://raw.githubusercontent.com/CycloneDX/specification/1.6/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
- "serialNumber": "urn:uuid:149b75cd-1e55-4608-a41d-bf9ac463e183",
+ "serialNumber": "urn:uuid:e3f0e064-0a7b-49da-8f9c-20969271ed8f",
"version": 1,
"metadata": {
- "timestamp": "2025-08-22T10:37:38.713452+00:00",
+ "timestamp": "2025-09-11T19:12:41.723813+00:00",
"component": {
"type": "library",
- "bom-ref": "pkg:github/open-quantum-safe/liboqs@1fe9e6cc7cd31ff7aed58d998251ceb4ad6a87be",
+ "bom-ref": "pkg:github/open-quantum-safe/liboqs@c25f169f5ad77d5b96984357a396f98c223b7a98",
"name": "liboqs",
- "version": "1fe9e6cc7cd31ff7aed58d998251ceb4ad6a87be"
+ "version": "c25f169f5ad77d5b96984357a396f98c223b7a98"
}
},
"components": [
{
"type": "library",
- "bom-ref": "pkg:github/open-quantum-safe/liboqs@1fe9e6cc7cd31ff7aed58d998251ceb4ad6a87be",
+ "bom-ref": "pkg:github/open-quantum-safe/liboqs@c25f169f5ad77d5b96984357a396f98c223b7a98",
"name": "liboqs",
- "version": "1fe9e6cc7cd31ff7aed58d998251ceb4ad6a87be"
+ "version": "c25f169f5ad77d5b96984357a396f98c223b7a98"
},
{
"type": "cryptographic-asset",
}
}
},
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium2:generic",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium2",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 2,
- "implementationPlatform": "generic"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium2:x86_64",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium2",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 2,
- "implementationPlatform": "x86_64"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium2:armv8-a",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium2",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 2,
- "implementationPlatform": "armv8-a"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium3:generic",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium3",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 3,
- "implementationPlatform": "generic"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium3:x86_64",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium3",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 3,
- "implementationPlatform": "x86_64"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium3:armv8-a",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium3",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 3,
- "implementationPlatform": "armv8-a"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium5:generic",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium5",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 5,
- "implementationPlatform": "generic"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium5:x86_64",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium5",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 5,
- "implementationPlatform": "x86_64"
- }
- }
- },
- {
- "type": "cryptographic-asset",
- "bom-ref": "alg:Dilithium5:armv8-a",
- "name": "CRYSTALS-Dilithium",
- "cryptoProperties": {
- "assetType": "algorithm",
- "algorithmProperties": {
- "parameterSetIdentifier": "Dilithium5",
- "primitive": "signature",
- "executionEnvironment": "software-plain-ram",
- "cryptoFunctions": [
- "keygen",
- "sign",
- "verify"
- ],
- "nistQuantumSecurityLevel": 5,
- "implementationPlatform": "armv8-a"
- }
- }
- },
{
"type": "cryptographic-asset",
"bom-ref": "alg:Falcon-512:generic",
],
"dependencies": [
{
- "ref": "pkg:github/open-quantum-safe/liboqs@1fe9e6cc7cd31ff7aed58d998251ceb4ad6a87be",
+ "ref": "pkg:github/open-quantum-safe/liboqs@c25f169f5ad77d5b96984357a396f98c223b7a98",
"provides": [
"alg:BIKE-L1:x86_64",
"alg:BIKE-L3:x86_64",
"alg:cross-rsdpg-256-fast:x86_64",
"alg:cross-rsdpg-256-small:generic",
"alg:cross-rsdpg-256-small:x86_64",
- "alg:Dilithium2:generic",
- "alg:Dilithium2:x86_64",
- "alg:Dilithium2:armv8-a",
- "alg:Dilithium3:generic",
- "alg:Dilithium3:x86_64",
- "alg:Dilithium3:armv8-a",
- "alg:Dilithium5:generic",
- "alg:Dilithium5:x86_64",
- "alg:Dilithium5:armv8-a",
"alg:Falcon-512:generic",
"alg:Falcon-512:x86_64",
"alg:Falcon-512:armv8-a",
"alg:sha3"
]
},
- {
- "ref": "alg:Dilithium2:generic",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium2:x86_64",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium2:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium3:generic",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium3:x86_64",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium3:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium5:generic",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium5:x86_64",
- "dependsOn": [
- "alg:sha3"
- ]
- },
- {
- "ref": "alg:Dilithium5:armv8-a",
- "dependsOn": [
- "alg:sha3"
- ]
- },
{
"ref": "alg:Falcon-512:generic",
"dependsOn": [
sig_meta_path: 'crypto_sign/{pqclean_scheme}/META.yml'
kem_scheme_path: 'crypto_kem/{pqclean_scheme}'
sig_scheme_path: 'crypto_sign/{pqclean_scheme}'
- patches: [pqclean-dilithium-arm-randomized-signing.patch, pqclean-kyber-armneon-shake-fixes.patch, pqclean-kyber-armneon-768-1024-fixes.patch, pqclean-kyber-armneon-variable-timing-fix.patch,
+ patches: [pqclean-kyber-armneon-shake-fixes.patch, pqclean-kyber-armneon-768-1024-fixes.patch, pqclean-kyber-armneon-variable-timing-fix.patch,
pqclean-kyber-armneon-asan.patch]
ignore: pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256f-simple_aarch64, pqclean_sphincs-shake-192s-simple_aarch64, pqclean_sphincs-shake-192f-simple_aarch64, pqclean_sphincs-shake-128s-simple_aarch64, pqclean_sphincs-shake-128f-simple_aarch64
-
kem_scheme_path: 'crypto_kem/{pqclean_scheme}'
sig_scheme_path: 'crypto_sign/{pqclean_scheme}'
patches: [pqclean-sphincs.patch, classic_mceliece_memset.patch]
- ignore: pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256f-simple_aarch64, pqclean_sphincs-shake-192s-simple_aarch64, pqclean_sphincs-shake-192f-simple_aarch64, pqclean_sphincs-shake-128s-simple_aarch64, pqclean_sphincs-shake-128f-simple_aarch64, pqclean_kyber512_aarch64, pqclean_kyber1024_aarch64, pqclean_kyber768_aarch64, pqclean_dilithium2_aarch64, pqclean_dilithium3_aarch64, pqclean_dilithium5_aarch64
+ ignore: pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256s-simple_aarch64, pqclean_sphincs-shake-256f-simple_aarch64, pqclean_sphincs-shake-192s-simple_aarch64, pqclean_sphincs-shake-192f-simple_aarch64, pqclean_sphincs-shake-128s-simple_aarch64, pqclean_sphincs-shake-128f-simple_aarch64, pqclean_kyber512_aarch64, pqclean_kyber1024_aarch64, pqclean_kyber768_aarch64
-
name: pqcrystals-kyber
git_url: https://github.com/pq-crystals/kyber.git
kem_meta_path: '{pretty_name_full}_META.yml'
kem_scheme_path: '.'
patches: [icicle-mlkem-enc-derand.patch]
- -
- name: pqcrystals-dilithium
- git_url: https://github.com/pq-crystals/dilithium.git
- git_branch: master
- git_commit: 3e9b9f1412f6c7435dbeb4e10692ea58f181ee51
- sig_meta_path: '{pretty_name_full}_META.yml'
- sig_scheme_path: '.'
- patches: [pqcrystals-dilithium-yml.patch, pqcrystals-dilithium-ref-shake-aes.patch, pqcrystals-dilithium-avx2-shake-aes.patch, pqcrystals-dilithium-SUF-CMA.patch]
-
name: pqcrystals-dilithium-standard
git_url: https://github.com/pq-crystals/dilithium.git
pqclean_scheme: ml-kem-1024
pretty_name_full: ML-KEM-1024
sigs:
- -
- name: dilithium
- default_implementation: ref
- upstream_location: pqcrystals-dilithium
- arch_specific_implementations:
- aarch64: aarch64
- arch_specific_upstream_locations:
- aarch64: oldpqclean
- schemes:
- -
- scheme: "2"
- pqclean_scheme: dilithium2
- pretty_name_full: Dilithium2
- signed_msg_order: sig_then_msg
- -
- scheme: "3"
- pqclean_scheme: dilithium3
- pretty_name_full: Dilithium3
- signed_msg_order: sig_then_msg
- -
- scheme: "5"
- pqclean_scheme: dilithium5
- pretty_name_full: Dilithium5
- signed_msg_order: sig_then_msg
-
name: ml_dsa
default_implementation: ref
+++ /dev/null
-From d1587756615048953cc96a377d5ff312ca25d753 Mon Sep 17 00:00:00 2001
-From: Jason Goertzen <Martyrshot@gmail.com>
-Date: Fri, 4 Mar 2022 12:04:48 -0500
-Subject: [PATCH] Manually adding randomized signing to dilithium, and removing
- some repeat defintions related to sha3
-
----
- crypto_sign/dilithium2/aarch64/fips202x2.h | 8 ++------
- crypto_sign/dilithium2/aarch64/sign.c | 8 +++++++-
- crypto_sign/dilithium3/aarch64/fips202x2.h | 8 ++------
- crypto_sign/dilithium3/aarch64/sign.c | 8 +++++++-
- crypto_sign/dilithium5/aarch64/fips202x2.h | 7 ++-----
- crypto_sign/dilithium5/aarch64/sign.c | 8 +++++++-
- 6 files changed, 27 insertions(+), 20 deletions(-)
-
-diff --git a/crypto_sign/dilithium2/aarch64/fips202x2.h b/crypto_sign/dilithium2/aarch64/fips202x2.h
-index 411d191..e2ee105 100644
---- a/crypto_sign/dilithium2/aarch64/fips202x2.h
-+++ b/crypto_sign/dilithium2/aarch64/fips202x2.h
-@@ -5,13 +5,9 @@
- #include <arm_neon.h>
- #include <stddef.h>
-
--typedef uint64x2_t v128;
--
--#define SHAKE128_RATE 168
--#define SHAKE256_RATE 136
--#define SHA3_256_RATE 136
--#define SHA3_512_RATE 72
-+#include <fips202.h>
-
-+typedef uint64x2_t v128;
-
- typedef struct {
- v128 s[25];
-diff --git a/crypto_sign/dilithium2/aarch64/sign.c b/crypto_sign/dilithium2/aarch64/sign.c
-index ebe3e82..e6c032d 100644
---- a/crypto_sign/dilithium2/aarch64/sign.c
-+++ b/crypto_sign/dilithium2/aarch64/sign.c
-@@ -106,7 +106,13 @@ int crypto_sign_signature(uint8_t *sig,
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
-- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-+ // liboqs uses randomized signing for the reference and
-+ // avx2 implementations of dilithium. pqclean currently
-+ // doesn't support randomized signing, so this is patched
-+ // in. If/when pqclean adds randomized signing to dilithium
-+ // this will need to be updated.
-+ randombytes(rhoprime, CRHBYTES);
-+ //shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
-diff --git a/crypto_sign/dilithium3/aarch64/fips202x2.h b/crypto_sign/dilithium3/aarch64/fips202x2.h
-index 411d191..e2ee105 100644
---- a/crypto_sign/dilithium3/aarch64/fips202x2.h
-+++ b/crypto_sign/dilithium3/aarch64/fips202x2.h
-@@ -5,13 +5,9 @@
- #include <arm_neon.h>
- #include <stddef.h>
-
--typedef uint64x2_t v128;
--
--#define SHAKE128_RATE 168
--#define SHAKE256_RATE 136
--#define SHA3_256_RATE 136
--#define SHA3_512_RATE 72
-+#include <fips202.h>
-
-+typedef uint64x2_t v128;
-
- typedef struct {
- v128 s[25];
-diff --git a/crypto_sign/dilithium3/aarch64/sign.c b/crypto_sign/dilithium3/aarch64/sign.c
-index ebe3e82..e6c032d 100644
---- a/crypto_sign/dilithium3/aarch64/sign.c
-+++ b/crypto_sign/dilithium3/aarch64/sign.c
-@@ -106,7 +106,13 @@ int crypto_sign_signature(uint8_t *sig,
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
-- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-+ // liboqs uses randomized signing for the reference and
-+ // avx2 implementations of dilithium. pqclean currently
-+ // doesn't support randomized signing, so this is patched
-+ // in. If/when pqclean adds randomized signing to dilithium
-+ // this will need to be updated.
-+ randombytes(rhoprime, CRHBYTES);
-+ //shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
-diff --git a/crypto_sign/dilithium5/aarch64/fips202x2.h b/crypto_sign/dilithium5/aarch64/fips202x2.h
-index 411d191..63a2bba 100644
---- a/crypto_sign/dilithium5/aarch64/fips202x2.h
-+++ b/crypto_sign/dilithium5/aarch64/fips202x2.h
-@@ -5,12 +5,9 @@
- #include <arm_neon.h>
- #include <stddef.h>
-
--typedef uint64x2_t v128;
-+#include <fips202.h>
-
--#define SHAKE128_RATE 168
--#define SHAKE256_RATE 136
--#define SHA3_256_RATE 136
--#define SHA3_512_RATE 72
-+typedef uint64x2_t v128;
-
-
- typedef struct {
-diff --git a/crypto_sign/dilithium5/aarch64/sign.c b/crypto_sign/dilithium5/aarch64/sign.c
-index ebe3e82..e6c032d 100644
---- a/crypto_sign/dilithium5/aarch64/sign.c
-+++ b/crypto_sign/dilithium5/aarch64/sign.c
-@@ -106,7 +106,13 @@ int crypto_sign_signature(uint8_t *sig,
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
-- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-+ // liboqs uses randomized signing for the reference and
-+ // avx2 implementations of dilithium. pqclean currently
-+ // doesn't support randomized signing, so this is patched
-+ // in. If/when pqclean adds randomized signing to dilithium
-+ // this will need to be updated.
-+ randombytes(rhoprime, CRHBYTES);
-+ //shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
---
-2.32.0 (Apple Git-132)
-
+++ /dev/null
-ef30acde710cc1fcb0ed9735af3631761ed0358a
-diff --git a/Dilithium2-AES_META.yml b/Dilithium2-AES_META.yml
-index bad46d3..ce6e854 100644
---- a/Dilithium2-AES_META.yml
-+++ b/Dilithium2-AES_META.yml
-@@ -1,6 +1,7 @@
- name: Dilithium2-AES
- type: signature
- claimed-nist-level: 2
-+claimed-security: SUF-CMA
- length-public-key: 1312
- length-secret-key: 2528
- length-signature: 2420
-diff --git a/Dilithium2_META.yml b/Dilithium2_META.yml
-index f4b7e8f..1b23d3e 100644
---- a/Dilithium2_META.yml
-+++ b/Dilithium2_META.yml
-@@ -1,6 +1,7 @@
- name: Dilithium2
- type: signature
- claimed-nist-level: 2
-+claimed-security: SUF-CMA
- length-public-key: 1312
- length-secret-key: 2528
- length-signature: 2420
-diff --git a/Dilithium3-AES_META.yml b/Dilithium3-AES_META.yml
-index 0269442..5153309 100644
---- a/Dilithium3-AES_META.yml
-+++ b/Dilithium3-AES_META.yml
-@@ -1,6 +1,7 @@
- name: Dilithium3-AES
- type: signature
- claimed-nist-level: 3
-+claimed-security: SUF-CMA
- length-public-key: 1952
- length-secret-key: 4000
- length-signature: 3293
-diff --git a/Dilithium3_META.yml b/Dilithium3_META.yml
-index f45c859..e4fbed2 100644
---- a/Dilithium3_META.yml
-+++ b/Dilithium3_META.yml
-@@ -1,6 +1,7 @@
- name: Dilithium3
- type: signature
- claimed-nist-level: 3
-+claimed-security: SUF-CMA
- length-public-key: 1952
- length-secret-key: 4000
- length-signature: 3293
-diff --git a/Dilithium5-AES_META.yml b/Dilithium5-AES_META.yml
-index 0128a32..e53bd7d 100644
---- a/Dilithium5-AES_META.yml
-+++ b/Dilithium5-AES_META.yml
-@@ -1,6 +1,7 @@
- name: Dilithium5-AES
- type: signature
- claimed-nist-level: 5
-+claimed-security: SUF-CMA
- length-public-key: 2592
- length-secret-key: 4864
- length-signature: 4595
-diff --git a/Dilithium5_META.yml b/Dilithium5_META.yml
-index 618b617..8c1aa5f 100644
---- a/Dilithium5_META.yml
-+++ b/Dilithium5_META.yml
-@@ -1,6 +1,7 @@
- name: Dilithium5
- type: signature
- claimed-nist-level: 5
-+claimed-security: SUF-CMA
- length-public-key: 2592
- length-secret-key: 4864
- length-signature: 4595
+++ /dev/null
-3a2763b7448b2d9e2fd3ba7b5b96636806c3c96c
-diff --git a/avx2/poly.c b/avx2/poly.c
-index 0e9e988..bb268fd 100644
---- a/avx2/poly.c
-+++ b/avx2/poly.c
-@@ -403,6 +403,7 @@ void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
- stream128_state state;
- stream128_init(&state, seed, nonce);
- poly_uniform_preinit(a, &state);
-+ stream128_release(&state);
- }
-
- #ifndef DILITHIUM_USE_AES
-@@ -418,7 +419,7 @@ void poly_uniform_4x(poly *a0,
- {
- unsigned int ctr0, ctr1, ctr2, ctr3;
- ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
-- keccakx4_state state;
-+ shake128x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)seed);
-@@ -436,6 +437,7 @@ void poly_uniform_4x(poly *a0,
- buf[3].coeffs[SEEDBYTES+0] = nonce3;
- buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
-
-+ shake128x4_inc_init(&state);
- shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
- shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
-
-@@ -452,6 +454,7 @@ void poly_uniform_4x(poly *a0,
- ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
- ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
- }
-+ shake128x4_inc_ctx_release(&state);
- }
- #endif
-
-@@ -535,6 +538,7 @@ void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_eta_preinit(a, &state);
-+ stream256_release(&state);
- }
-
- #ifndef DILITHIUM_USE_AES
-@@ -552,7 +556,7 @@ void poly_uniform_eta_4x(poly *a0,
- ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
-
- __m256i f;
-- keccakx4_state state;
-+ shake256x4incctx state;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
- _mm256_store_si256(&buf[0].vec[0],f);
-@@ -574,6 +578,7 @@ void poly_uniform_eta_4x(poly *a0,
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
-+ shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
-
-@@ -590,6 +595,7 @@ void poly_uniform_eta_4x(poly *a0,
- ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
- ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
- }
-+ shake256x4_inc_ctx_release(&state);
- }
- #endif
-
-@@ -618,6 +624,7 @@ void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_gamma1_preinit(a, &state);
-+ stream256_release(&state);
- }
-
- #ifndef DILITHIUM_USE_AES
-@@ -632,7 +639,7 @@ void poly_uniform_gamma1_4x(poly *a0,
- uint16_t nonce3)
- {
- ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
-- keccakx4_state state;
-+ shake256x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
-@@ -655,8 +662,10 @@ void poly_uniform_gamma1_4x(poly *a0,
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
-+ shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
-+ shake256x4_inc_ctx_release(&state);
-
- polyz_unpack(a0, buf[0].coeffs);
- polyz_unpack(a1, buf[1].coeffs);
-@@ -679,12 +688,12 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- ALIGNED_UINT8(SHAKE256_RATE) buf;
-- keccak_state state;
-+ shake256incctx state;
-
-- shake256_init(&state);
-- shake256_absorb(&state, seed, SEEDBYTES);
-- shake256_finalize(&state);
-- shake256_squeezeblocks(buf.coeffs, 1, &state);
-+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, seed, SEEDBYTES);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
-
- memcpy(&signs, buf.coeffs, 8);
- pos = 8;
-@@ -704,6 +713,7 @@ void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
-+ shake256_inc_ctx_release(&state);
- }
-
- /*************************************************
-diff --git a/avx2/sign.c b/avx2/sign.c
-index 3dee7a62..8c254f07 100644
---- a/avx2/sign.c
-+++ b/avx2/sign.c
-@@ -97,17 +97,18 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
-
- /* Sample short vectors s1 and s2 */
- #ifdef DILITHIUM_USE_AES
-- aes256ctr_init(&aesctx, rhoprime, 0);
-+ aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
-+ aes256_ctx_release(&aesctx);
- #elif K == 4 && L == 4
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
-@@ -134,7 +135,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- polyvecl_ntt(&s1);
-
- #ifdef DILITHIUM_USE_AES
-- aes256ctr_init(&aesctx, rho, 0);
-+ aes256ctr_init_u64(&aesctx, rho, 0);
- #endif
-
- for(i = 0; i < K; i++) {
-@@ -142,7 +143,7 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- #ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-@@ -164,6 +165,10 @@ int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
- }
-
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+
- /* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
-
-@@ -197,7 +202,7 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
- polyvecl y;
- polyveck w0;
- } tmpv;
-- keccak_state state;
-+ shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
-@@ -207,11 +212,11 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
-- shake256_init(&state);
-- shake256_absorb(&state, tr, SEEDBYTES);
-- shake256_absorb(&state, m, mlen);
-- shake256_finalize(&state);
-- shake256_squeeze(mu, CRHBYTES, &state);
-+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, tr, SEEDBYTES);
-+ shake256_inc_absorb(&state, m, mlen);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(mu, CRHBYTES, &state);
-
- #ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-@@ -227,14 +232,14 @@ int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t
-
- #ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
-- aes256ctr_init(&aesctx, rhoprime, 0);
-+ aes256ctr_init_u64(&aesctx, rhoprime, 0);
- #endif
-
- rej:
- /* Sample intermediate vector y */
- #ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-@@ -268,11 +273,11 @@ rej:
- polyveck_decompose(&w1, &tmpv.w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
-- shake256_init(&state);
-- shake256_absorb(&state, mu, CRHBYTES);
-- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
-- shake256_finalize(&state);
-- shake256_squeeze(sig, SEEDBYTES, &state);
-+ shake256_inc_ctx_reset(&state);
-+ shake256_inc_absorb(&state, mu, CRHBYTES);
-+ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&c, sig);
- poly_ntt(&c);
-
-@@ -317,6 +322,11 @@ rej:
- hint[OMEGA + i] = pos = pos + n;
- }
-
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+
-+ shake256_inc_ctx_release(&state);
- /* Pack z into signature */
- for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
-@@ -380,18 +390,19 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
- polyvecl *row = rowbuf;
- polyvecl z;
- poly c, w1, h;
-- keccak_state state;
-+ shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
-- shake256_init(&state);
-- shake256_absorb(&state, mu, SEEDBYTES);
-- shake256_absorb(&state, m, mlen);
-- shake256_finalize(&state);
-- shake256_squeeze(mu, CRHBYTES, &state);
-+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, mu, SEEDBYTES);
-+ shake256_inc_absorb(&state, m, mlen);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(mu, CRHBYTES, &state);
-+ shake256_inc_ctx_release(&state);
-
- /* Expand challenge */
- poly_challenge(&c, sig);
-@@ -404,7 +415,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
- }
-
- #ifdef DILITHIUM_USE_AES
-- aes256ctr_init(&aesctx, pk, 0);
-+ aes256ctr_init_u64(&aesctx, pk, 0);
- #endif
-
- for(i = 0; i < K; i++) {
-@@ -412,7 +423,7 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
- #ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
-- aesctx.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-@@ -434,12 +445,21 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
-
- /* Get hint polynomial and reconstruct w1 */
- memset(h.vec, 0, sizeof(poly));
-- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA)
-+ if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
- return -1;
-+ }
-
- for(j = pos; j < hint[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
-- if(j > pos && hint[j] <= hint[j-1]) return -1;
-+ if(j > pos && hint[j] <= hint[j-1]) {
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+ return -1;
-+ }
- h.coeffs[hint[j]] = 1;
- }
- pos = hint[OMEGA + i];
-@@ -449,16 +469,21 @@ int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size
- polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
- }
-
-+#ifdef DILITHIUM_USE_AES
-+ aes256_ctx_release(&aesctx);
-+#endif
-+
- /* Extra indices are zero for strong unforgeability */
- for(j = pos; j < OMEGA; ++j)
- if(hint[j]) return -1;
-
- /* Call random oracle and verify challenge */
-- shake256_init(&state);
-- shake256_absorb(&state, mu, CRHBYTES);
-- shake256_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
-- shake256_finalize(&state);
-- shake256_squeeze(buf.coeffs, SEEDBYTES, &state);
-+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, mu, CRHBYTES);
-+ shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
-+ shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(buf.coeffs[i] != sig[i])
- return -1;
-diff --git a/avx2/polyvec.c b/avx2/polyvec.c
-index 1d9c2e70..5ce1d887 100644
---- a/avx2/polyvec.c
-+++ b/avx2/polyvec.c
-@@ -25,16 +25,17 @@ void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- uint64_t nonce;
- aes256ctr_ctx state;
-
-- aes256ctr_init(&state, rho, 0);
-+ aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
-- state.n = _mm_loadl_epi64((__m128i *)&nonce);
-+ aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
-+ aes256_ctx_release(&state);
- }
-
- #elif K == 4 && L == 4
-diff --git a/avx2/symmetric.h b/avx2/symmetric.h
-index 7eb6f98..ed476d1 100644
---- a/avx2/symmetric.h
-+++ b/avx2/symmetric.h
-@@ -15,31 +15,35 @@ typedef aes256ctr_ctx stream256_state;
- #define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
- #define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
--#define stream128_init(STATE, SEED, NONCE) aes256ctr_init(STATE, SEED, NONCE)
-+#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
- #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
--#define stream256_init(STATE, SEED, NONCE) aes256ctr_init(STATE, SEED, NONCE)
-+#define stream128_release(STATE) aes256_ctx_release(STATE)
-+#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
- #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream256_release(STATE) aes256_ctx_release(STATE)
-
- #else
-
- #include "fips202.h"
-
--typedef keccak_state stream128_state;
--typedef keccak_state stream256_state;
-+typedef shake128incctx stream128_state;
-+typedef shake256incctx stream256_state;
-
- #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
--void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-+void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-
- #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
--void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
-+void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
- #define STREAM128_BLOCKBYTES SHAKE128_RATE
- #define STREAM256_BLOCKBYTES SHAKE256_RATE
-
- #define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
- #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
- #define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
- #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
- #endif
-
+++ /dev/null
-88ad24c7c247d0f2f4c6b22a7e0a4696053b41d5
-diff --git a/ref/poly.c b/ref/poly.c
-index a6ba074..006e83c 100644
---- a/ref/poly.c
-+++ b/ref/poly.c
-@@ -365,6 +365,7 @@ void poly_uniform(poly *a,
- buflen = STREAM128_BLOCKBYTES + off;
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
- }
-+ stream128_release(&state);
- }
-
- /*************************************************
-@@ -450,6 +451,7 @@ void poly_uniform_eta(poly *a,
- stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
- }
-+ stream256_release(&state);
- }
-
- /*************************************************
-@@ -473,6 +475,7 @@ void poly_uniform_gamma1(poly *a,
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
-+ stream256_release(&state);
- polyz_unpack(a, buf);
- }
-
-@@ -490,11 +493,11 @@ void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- uint8_t buf[SHAKE256_RATE];
-- keccak_state state;
-+ shake256incctx state;
-
-- shake256_init(&state);
-- shake256_absorb(&state, seed, SEEDBYTES);
-- shake256_finalize(&state);
-+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, seed, SEEDBYTES);
-+ shake256_inc_finalize(&state);
- shake256_squeezeblocks(buf, 1, &state);
-
- signs = 0;
-@@ -518,6 +521,7 @@ void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
-+ shake256_inc_ctx_release(&state);
- }
-
- /*************************************************
-diff --git a/ref/sign.c b/ref/sign.c
-index 5d0455c..16333eb 100644
---- a/ref/sign.c
-+++ b/ref/sign.c
-@@ -90,7 +90,7 @@ int crypto_sign_signature(uint8_t *sig,
- polyvecl mat[K], s1, y, z;
- polyveck t0, s2, w1, w0, h;
- poly cp;
-- keccak_state state;
-+ shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
-@@ -100,11 +100,11 @@ int crypto_sign_signature(uint8_t *sig,
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
-- shake256_init(&state);
-- shake256_absorb(&state, tr, SEEDBYTES);
-- shake256_absorb(&state, m, mlen);
-- shake256_finalize(&state);
-- shake256_squeeze(mu, CRHBYTES, &state);
-+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, tr, SEEDBYTES);
-+ shake256_inc_absorb(&state, m, mlen);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(mu, CRHBYTES, &state);
-
- #ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-@@ -134,11 +134,11 @@ rej:
- polyveck_decompose(&w1, &w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
-- shake256_init(&state);
-- shake256_absorb(&state, mu, CRHBYTES);
-- shake256_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
-- shake256_finalize(&state);
-- shake256_squeeze(sig, SEEDBYTES, &state);
-+ shake256_inc_ctx_reset(&state);
-+ shake256_inc_absorb(&state, mu, CRHBYTES);
-+ shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&cp, sig);
- poly_ntt(&cp);
-
-@@ -171,6 +171,8 @@ rej:
- if(n > OMEGA)
- goto rej;
-
-+ shake256_inc_ctx_release(&state);
-+
- /* Write signature */
- pack_sig(sig, sig, &z, &h);
- *siglen = CRYPTO_BYTES;
-@@ -236,7 +238,7 @@ int crypto_sign_verify(const uint8_t *sig,
- poly cp;
- polyvecl mat[K], z;
- polyveck t1, w1, h;
-- keccak_state state;
-+ shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-@@ -249,11 +251,11 @@ int crypto_sign_verify(const uint8_t *sig,
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
-- shake256_init(&state);
-- shake256_absorb(&state, mu, SEEDBYTES);
-- shake256_absorb(&state, m, mlen);
-- shake256_finalize(&state);
-- shake256_squeeze(mu, CRHBYTES, &state);
-+ shake256_inc_init(&state);
-+ shake256_inc_absorb(&state, mu, SEEDBYTES);
-+ shake256_inc_absorb(&state, m, mlen);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(mu, CRHBYTES, &state);
-
- /* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
-@@ -277,11 +279,12 @@ int crypto_sign_verify(const uint8_t *sig,
- polyveck_pack_w1(buf, &w1);
-
- /* Call random oracle and verify challenge */
-- shake256_init(&state);
-- shake256_absorb(&state, mu, CRHBYTES);
-- shake256_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
-- shake256_finalize(&state);
-- shake256_squeeze(c2, SEEDBYTES, &state);
-+ shake256_inc_ctx_reset(&state);
-+ shake256_inc_absorb(&state, mu, CRHBYTES);
-+ shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
-+ shake256_inc_finalize(&state);
-+ shake256_inc_squeeze(c2, SEEDBYTES, &state);
-+ shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(c[i] != c2[i])
- return -1;
-diff --git a/ref/symmetric-shake.c b/ref/symmetric-shake.c
-index 11ec09c..963f649 100644
---- a/ref/symmetric-shake.c
-+++ b/ref/symmetric-shake.c
-@@ -3,26 +3,26 @@
- #include "symmetric.h"
- #include "fips202.h"
-
--void dilithium_shake128_stream_init(keccak_state *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-+void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
- {
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
-- shake128_init(state);
-- shake128_absorb(state, seed, SEEDBYTES);
-- shake128_absorb(state, t, 2);
-- shake128_finalize(state);
-+ shake128_inc_init(state);
-+ shake128_inc_absorb(state, seed, SEEDBYTES);
-+ shake128_inc_absorb(state, t, 2);
-+ shake128_inc_finalize(state);
- }
-
--void dilithium_shake256_stream_init(keccak_state *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
-+void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
- {
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
-- shake256_init(state);
-- shake256_absorb(state, seed, CRHBYTES);
-- shake256_absorb(state, t, 2);
-- shake256_finalize(state);
-+ shake256_inc_init(state);
-+ shake256_inc_absorb(state, seed, CRHBYTES);
-+ shake256_inc_absorb(state, t, 2);
-+ shake256_inc_finalize(state);
- }
-diff --git a/ref/symmetric.h b/ref/symmetric.h
-index 0b34fb6..13c88da 100644
---- a/ref/symmetric.h
-+++ b/ref/symmetric.h
-@@ -24,25 +24,29 @@ void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
- #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream128_release(STATE) \
-+ aes256_ctx_release(STATE)
- #define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
- #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream256_release(STATE) \
-+ aes256_ctx_release(STATE)
-
- #else
-
- #include "fips202.h"
-
--typedef keccak_state stream128_state;
--typedef keccak_state stream256_state;
-+typedef shake128incctx stream128_state;
-+typedef shake256incctx stream256_state;
-
- #define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
--void dilithium_shake128_stream_init(keccak_state *state,
-+void dilithium_shake128_stream_init(shake128incctx *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-
- #define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
--void dilithium_shake256_stream_init(keccak_state *state,
-+void dilithium_shake256_stream_init(shake256incctx *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-
-@@ -53,10 +57,12 @@ void dilithium_shake256_stream_init(keccak_state *state,
- dilithium_shake128_stream_init(STATE, SEED, NONCE)
- #define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
- #define stream256_init(STATE, SEED, NONCE) \
- dilithium_shake256_stream_init(STATE, SEED, NONCE)
- #define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-+#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
- #endif
-
+++ /dev/null
-diff --git a/Dilithium2_META.yml b/Dilithium2_META.yml
-index 0e2e6fc..f4b7e8f 100644
---- a/Dilithium2_META.yml
-+++ b/Dilithium2_META.yml
-@@ -24,16 +24,14 @@ implementations:
- signature_keypair: pqcrystals_dilithium2_ref_keypair
- signature_signature: pqcrystals_dilithium2_ref_signature
- signature_verify: pqcrystals_dilithium2_ref_verify
-- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
-- common_dep: common_ref
-+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
- - name: avx2
- version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
- compile_opts: -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING
- signature_keypair: pqcrystals_dilithium2_avx2_keypair
- signature_signature: pqcrystals_dilithium2_avx2_signature
- signature_verify: pqcrystals_dilithium2_avx2_verify
-- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
-- common_dep: common_avx2
-+ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
- supported_platforms:
- - architecture: x86_64
- operating_systems:
-diff --git a/Dilithium3_META.yml b/Dilithium3_META.yml
-index d1bca64..f45c859 100644
---- a/Dilithium3_META.yml
-+++ b/Dilithium3_META.yml
-@@ -24,16 +24,14 @@ implementations:
- signature_keypair: pqcrystals_dilithium3_ref_keypair
- signature_signature: pqcrystals_dilithium3_ref_signature
- signature_verify: pqcrystals_dilithium3_ref_verify
-- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
-- common_dep: common_ref
-+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
- - name: avx2
- version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
- compile_opts: -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING
- signature_keypair: pqcrystals_dilithium3_avx2_keypair
- signature_signature: pqcrystals_dilithium3_avx2_signature
- signature_verify: pqcrystals_dilithium3_avx2_verify
-- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
-- common_dep: common_avx2
-+ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
- supported_platforms:
- - architecture: x86_64
- operating_systems:
-diff --git a/Dilithium5_META.yml b/Dilithium5_META.yml
-index a4dbdbf..618b617 100644
---- a/Dilithium5_META.yml
-+++ b/Dilithium5_META.yml
-@@ -24,16 +24,14 @@ implementations:
- signature_keypair: pqcrystals_dilithium5_ref_keypair
- signature_signature: pqcrystals_dilithium5_ref_signature
- signature_verify: pqcrystals_dilithium5_ref_verify
-- sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h fips202.h symmetric-shake.c
-- common_dep: common_ref
-+ sources: ../LICENSE api.h config.h params.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.c ntt.h reduce.c reduce.h rounding.c rounding.h symmetric.h symmetric-shake.c
- - name: avx2
- version: https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409
- compile_opts: -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING
- signature_keypair: pqcrystals_dilithium5_avx2_keypair
- signature_signature: pqcrystals_dilithium5_avx2_signature
- signature_verify: pqcrystals_dilithium5_avx2_verify
-- sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h fips202.h fips202x4.h symmetric-shake.c
-- common_dep: common_avx2
-+ sources: ../LICENSE api.h config.h params.h align.h sign.c sign.h packing.c packing.h polyvec.c polyvec.h poly.c poly.h ntt.S invntt.S pointwise.S ntt.h shuffle.S shuffle.inc consts.c consts.h rejsample.c rejsample.h rounding.c rounding.h symmetric.h symmetric-shake.c
- supported_platforms:
- - architecture: x86_64
- operating_systems:
add_subdirectory(kem/ml_kem)
set(KEM_OBJS ${KEM_OBJS} ${ML_KEM_OBJS})
endif()
-if(OQS_ENABLE_SIG_DILITHIUM)
- add_subdirectory(sig/dilithium)
- set(SIG_OBJS ${SIG_OBJS} ${DILITHIUM_OBJS})
-endif()
if(OQS_ENABLE_SIG_ML_DSA)
add_subdirectory(sig/ml_dsa)
set(SIG_OBJS ${SIG_OBJS} ${ML_DSA_OBJS})
#cmakedefine OQS_ENABLE_KEM_ml_kem_1024_cuda 1
#cmakedefine OQS_ENABLE_KEM_ml_kem_1024_icicle_cuda 1
-#cmakedefine OQS_ENABLE_SIG_DILITHIUM 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_2 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_2_avx2 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_2_aarch64 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_3 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_3_avx2 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_3_aarch64 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_5 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_5_avx2 1
-#cmakedefine OQS_ENABLE_SIG_dilithium_5_aarch64 1
-
#cmakedefine OQS_ENABLE_SIG_ML_DSA 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_44 1
#cmakedefine OQS_ENABLE_SIG_ml_dsa_44_avx2 1
+++ /dev/null
-# SPDX-License-Identifier: MIT
-
-# This file was generated by
-# scripts/copy_from_upstream/copy_from_upstream.py
-
-set(_DILITHIUM_OBJS "")
-
-if(OQS_ENABLE_SIG_dilithium_2)
- add_library(dilithium_2_ref OBJECT sig_dilithium_2.c pqcrystals-dilithium_dilithium2_ref/ntt.c pqcrystals-dilithium_dilithium2_ref/packing.c pqcrystals-dilithium_dilithium2_ref/poly.c pqcrystals-dilithium_dilithium2_ref/polyvec.c pqcrystals-dilithium_dilithium2_ref/reduce.c pqcrystals-dilithium_dilithium2_ref/rounding.c pqcrystals-dilithium_dilithium2_ref/sign.c pqcrystals-dilithium_dilithium2_ref/symmetric-shake.c)
- target_compile_options(dilithium_2_ref PUBLIC -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING)
- target_include_directories(dilithium_2_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium2_ref)
- target_include_directories(dilithium_2_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_2_ref PUBLIC -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_2_ref>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_2_avx2)
- add_library(dilithium_2_avx2 OBJECT pqcrystals-dilithium_dilithium2_avx2/consts.c pqcrystals-dilithium_dilithium2_avx2/invntt.S pqcrystals-dilithium_dilithium2_avx2/ntt.S pqcrystals-dilithium_dilithium2_avx2/packing.c pqcrystals-dilithium_dilithium2_avx2/pointwise.S pqcrystals-dilithium_dilithium2_avx2/poly.c pqcrystals-dilithium_dilithium2_avx2/polyvec.c pqcrystals-dilithium_dilithium2_avx2/rejsample.c pqcrystals-dilithium_dilithium2_avx2/rounding.c pqcrystals-dilithium_dilithium2_avx2/shuffle.S pqcrystals-dilithium_dilithium2_avx2/sign.c pqcrystals-dilithium_dilithium2_avx2/symmetric-shake.c)
- target_include_directories(dilithium_2_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium2_avx2)
- target_include_directories(dilithium_2_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_2_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(dilithium_2_avx2 PUBLIC -DDILITHIUM_MODE=2 -DDILITHIUM_RANDOMIZED_SIGNING)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_2_avx2>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_2_aarch64)
- add_library(dilithium_2_aarch64 OBJECT oldpqclean_dilithium2_aarch64/__asm_iNTT.S oldpqclean_dilithium2_aarch64/__asm_NTT.S oldpqclean_dilithium2_aarch64/__asm_poly.S oldpqclean_dilithium2_aarch64/feat.S oldpqclean_dilithium2_aarch64/fips202x2.c oldpqclean_dilithium2_aarch64/ntt.c oldpqclean_dilithium2_aarch64/packing.c oldpqclean_dilithium2_aarch64/poly.c oldpqclean_dilithium2_aarch64/polyvec.c oldpqclean_dilithium2_aarch64/reduce.c oldpqclean_dilithium2_aarch64/rounding.c oldpqclean_dilithium2_aarch64/sign.c oldpqclean_dilithium2_aarch64/symmetric-shake.c)
- target_include_directories(dilithium_2_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/oldpqclean_dilithium2_aarch64)
- target_include_directories(dilithium_2_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_2_aarch64 PRIVATE)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_2_aarch64>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_3)
- add_library(dilithium_3_ref OBJECT sig_dilithium_3.c pqcrystals-dilithium_dilithium3_ref/ntt.c pqcrystals-dilithium_dilithium3_ref/packing.c pqcrystals-dilithium_dilithium3_ref/poly.c pqcrystals-dilithium_dilithium3_ref/polyvec.c pqcrystals-dilithium_dilithium3_ref/reduce.c pqcrystals-dilithium_dilithium3_ref/rounding.c pqcrystals-dilithium_dilithium3_ref/sign.c pqcrystals-dilithium_dilithium3_ref/symmetric-shake.c)
- target_compile_options(dilithium_3_ref PUBLIC -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING)
- target_include_directories(dilithium_3_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium3_ref)
- target_include_directories(dilithium_3_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_3_ref PUBLIC -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_3_ref>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_3_avx2)
- add_library(dilithium_3_avx2 OBJECT pqcrystals-dilithium_dilithium3_avx2/consts.c pqcrystals-dilithium_dilithium3_avx2/invntt.S pqcrystals-dilithium_dilithium3_avx2/ntt.S pqcrystals-dilithium_dilithium3_avx2/packing.c pqcrystals-dilithium_dilithium3_avx2/pointwise.S pqcrystals-dilithium_dilithium3_avx2/poly.c pqcrystals-dilithium_dilithium3_avx2/polyvec.c pqcrystals-dilithium_dilithium3_avx2/rejsample.c pqcrystals-dilithium_dilithium3_avx2/rounding.c pqcrystals-dilithium_dilithium3_avx2/shuffle.S pqcrystals-dilithium_dilithium3_avx2/sign.c pqcrystals-dilithium_dilithium3_avx2/symmetric-shake.c)
- target_include_directories(dilithium_3_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium3_avx2)
- target_include_directories(dilithium_3_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_3_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(dilithium_3_avx2 PUBLIC -DDILITHIUM_MODE=3 -DDILITHIUM_RANDOMIZED_SIGNING)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_3_avx2>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_3_aarch64)
- add_library(dilithium_3_aarch64 OBJECT oldpqclean_dilithium3_aarch64/__asm_iNTT.S oldpqclean_dilithium3_aarch64/__asm_NTT.S oldpqclean_dilithium3_aarch64/__asm_poly.S oldpqclean_dilithium3_aarch64/feat.S oldpqclean_dilithium3_aarch64/fips202x2.c oldpqclean_dilithium3_aarch64/ntt.c oldpqclean_dilithium3_aarch64/packing.c oldpqclean_dilithium3_aarch64/poly.c oldpqclean_dilithium3_aarch64/polyvec.c oldpqclean_dilithium3_aarch64/reduce.c oldpqclean_dilithium3_aarch64/rounding.c oldpqclean_dilithium3_aarch64/sign.c oldpqclean_dilithium3_aarch64/symmetric-shake.c)
- target_include_directories(dilithium_3_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/oldpqclean_dilithium3_aarch64)
- target_include_directories(dilithium_3_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_3_aarch64 PRIVATE)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_3_aarch64>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_5)
- add_library(dilithium_5_ref OBJECT sig_dilithium_5.c pqcrystals-dilithium_dilithium5_ref/ntt.c pqcrystals-dilithium_dilithium5_ref/packing.c pqcrystals-dilithium_dilithium5_ref/poly.c pqcrystals-dilithium_dilithium5_ref/polyvec.c pqcrystals-dilithium_dilithium5_ref/reduce.c pqcrystals-dilithium_dilithium5_ref/rounding.c pqcrystals-dilithium_dilithium5_ref/sign.c pqcrystals-dilithium_dilithium5_ref/symmetric-shake.c)
- target_compile_options(dilithium_5_ref PUBLIC -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING)
- target_include_directories(dilithium_5_ref PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium5_ref)
- target_include_directories(dilithium_5_ref PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_5_ref PUBLIC -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_5_ref>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_5_avx2)
- add_library(dilithium_5_avx2 OBJECT pqcrystals-dilithium_dilithium5_avx2/consts.c pqcrystals-dilithium_dilithium5_avx2/invntt.S pqcrystals-dilithium_dilithium5_avx2/ntt.S pqcrystals-dilithium_dilithium5_avx2/packing.c pqcrystals-dilithium_dilithium5_avx2/pointwise.S pqcrystals-dilithium_dilithium5_avx2/poly.c pqcrystals-dilithium_dilithium5_avx2/polyvec.c pqcrystals-dilithium_dilithium5_avx2/rejsample.c pqcrystals-dilithium_dilithium5_avx2/rounding.c pqcrystals-dilithium_dilithium5_avx2/shuffle.S pqcrystals-dilithium_dilithium5_avx2/sign.c pqcrystals-dilithium_dilithium5_avx2/symmetric-shake.c)
- target_include_directories(dilithium_5_avx2 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/pqcrystals-dilithium_dilithium5_avx2)
- target_include_directories(dilithium_5_avx2 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_5_avx2 PRIVATE -mavx2 -mpopcnt)
- target_compile_options(dilithium_5_avx2 PUBLIC -DDILITHIUM_MODE=5 -DDILITHIUM_RANDOMIZED_SIGNING)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_5_avx2>)
-endif()
-
-if(OQS_ENABLE_SIG_dilithium_5_aarch64)
- add_library(dilithium_5_aarch64 OBJECT oldpqclean_dilithium5_aarch64/__asm_iNTT.S oldpqclean_dilithium5_aarch64/__asm_NTT.S oldpqclean_dilithium5_aarch64/__asm_poly.S oldpqclean_dilithium5_aarch64/feat.S oldpqclean_dilithium5_aarch64/fips202x2.c oldpqclean_dilithium5_aarch64/ntt.c oldpqclean_dilithium5_aarch64/packing.c oldpqclean_dilithium5_aarch64/poly.c oldpqclean_dilithium5_aarch64/polyvec.c oldpqclean_dilithium5_aarch64/reduce.c oldpqclean_dilithium5_aarch64/rounding.c oldpqclean_dilithium5_aarch64/sign.c oldpqclean_dilithium5_aarch64/symmetric-shake.c)
- target_include_directories(dilithium_5_aarch64 PRIVATE ${CMAKE_CURRENT_LIST_DIR}/oldpqclean_dilithium5_aarch64)
- target_include_directories(dilithium_5_aarch64 PRIVATE ${PROJECT_SOURCE_DIR}/src/common/pqclean_shims)
- target_compile_options(dilithium_5_aarch64 PRIVATE)
- set(_DILITHIUM_OBJS ${_DILITHIUM_OBJS} $<TARGET_OBJECTS:dilithium_5_aarch64>)
-endif()
-
-set(DILITHIUM_OBJS ${_DILITHIUM_OBJS} PARENT_SCOPE)
+++ /dev/null
-Creative Commons Legal Code
-
-CC0 1.0 Universal
-
- CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
- LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
- ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
- INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
- REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
- PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
- THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
- HEREUNDER.
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator
-and subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for
-the purpose of contributing to a commons of creative, cultural and
-scientific works ("Commons") that the public can reliably and without fear
-of later claims of infringement build upon, modify, incorporate in other
-works, reuse and redistribute as freely as possible in any form whatsoever
-and for any purposes, including without limitation commercial purposes.
-These owners may contribute to the Commons to promote the ideal of a free
-culture and the further production of creative, cultural and scientific
-works, or to gain reputation or greater distribution for their Work in
-part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any
-expectation of additional consideration or compensation, the person
-associating CC0 with a Work (the "Affirmer"), to the extent that he or she
-is an owner of Copyright and Related Rights in the Work, voluntarily
-elects to apply CC0 to the Work and publicly distribute the Work under its
-terms, with knowledge of his or her Copyright and Related Rights in the
-Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not
-limited to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display,
- communicate, and translate a Work;
- ii. moral rights retained by the original author(s) and/or performer(s);
-iii. publicity and privacy rights pertaining to a person's image or
- likeness depicted in a Work;
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
- v. rights protecting the extraction, dissemination, use and reuse of data
- in a Work;
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation
- thereof, including any amended or successor version of such
- directive); and
-vii. other similar, equivalent or corresponding rights throughout the
- world based on applicable law or treaty, and any national
- implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention
-of, applicable law, Affirmer hereby overtly, fully, permanently,
-irrevocably and unconditionally waives, abandons, and surrenders all of
-Affirmer's Copyright and Related Rights and associated claims and causes
-of action, whether now known or unknown (including existing as well as
-future claims and causes of action), in the Work (i) in all territories
-worldwide, (ii) for the maximum duration provided by applicable law or
-treaty (including future time extensions), (iii) in any current or future
-medium and for any number of copies, and (iv) for any purpose whatsoever,
-including without limitation commercial, advertising or promotional
-purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
-member of the public at large and to the detriment of Affirmer's heirs and
-successors, fully intending that such Waiver shall not be subject to
-revocation, rescission, cancellation, termination, or any other legal or
-equitable action to disrupt the quiet enjoyment of the Work by the public
-as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason
-be judged legally invalid or ineffective under applicable law, then the
-Waiver shall be preserved to the maximum extent permitted taking into
-account Affirmer's express Statement of Purpose. In addition, to the
-extent the Waiver is so judged Affirmer hereby grants to each affected
-person a royalty-free, non transferable, non sublicensable, non exclusive,
-irrevocable and unconditional license to exercise Affirmer's Copyright and
-Related Rights in the Work (i) in all territories worldwide, (ii) for the
-maximum duration provided by applicable law or treaty (including future
-time extensions), (iii) in any current or future medium and for any number
-of copies, and (iv) for any purpose whatsoever, including without
-limitation commercial, advertising or promotional purposes (the
-"License"). The License shall be deemed effective as of the date CC0 was
-applied by Affirmer to the Work. Should any part of the License for any
-reason be judged legally invalid or ineffective under applicable law, such
-partial invalidity or ineffectiveness shall not invalidate the remainder
-of the License, and in such case Affirmer hereby affirms that he or she
-will not (i) exercise any of his or her remaining Copyright and Related
-Rights in the Work or (ii) assert any associated claims and causes of
-action with respect to the Work, in either case contrary to Affirmer's
-express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
- b. Affirmer offers the Work as-is and makes no representations or
- warranties of any kind concerning the Work, express, implied,
- statutory or otherwise, including without limitation warranties of
- title, merchantability, fitness for a particular purpose, non
- infringement, or the absence of latent or other defects, accuracy, or
- the present or absence of errors, whether or not discoverable, all to
- the greatest extent permissible under applicable law.
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without
- limitation any person's Copyright and Related Rights in the Work.
- Further, Affirmer disclaims responsibility for obtaining any necessary
- consents, permissions or other rights required for any use of the
- Work.
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to
- this CC0 or use of the Work.
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef NTT_PARAMS_H
-#define NTT_PARAMS_H
-
-#define ARRAY_N 256
-
-#define NTT_N 256
-#define LOGNTT_N 8
-
-// root of unity: 1753
-
-
-// Q1
-#define Q1 8380417
-// omegaQ1 = 1753 mod Q1
-#define omegaQ1 1753
-// invomegaQ1 = omegaQ^{-1} mod Q1
-#define invomegaQ1 731434
-// R = 2^32 below
-// RmodQ1 = 2^32 mod^{+-} Q1
-#define RmodQ1 (-4186625)
-// Q1prime = Q1^{-1} mod^{+-} 2^32
-#define Q1prime 58728449
-// invNQ1 = NTT_N^{-1} mod Q1
-#define invNQ1 8347681
-
-// invNQ1R2modQ1 = -NTT_N^{-1} 2^32 2^32 mod^{+-} Q1 below
-#define invNQ1R2modQ1 (-41978)
-// invNQ1R2modQ1_prime = invNQ1R2modQ1 (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1R2modQ1_prime 8395782
-// invNQ1R2modQ1_prime_half = (invNQ1R2modQ1 / 2) (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1R2modQ1_prime_half 4197891
-// invNQ1R2modQ1_doubleprime = (invNQ1R2modQ1_prime Q1 - invNQ1R2modQ1) / 2^32
-#define invNQ1R2modQ1_doubleprime 16382
-
-// invNQ1_final_R2modQ1 = -invNQ1R2modQ1 invomegaQ1^{128} mod q
-#define invNQ1_final_R2modQ1 4404704
-// invNQ1_final_R2modQ1_prime = invNQ1_final_R2modQ1 (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1_final_R2modQ1_prime (-151046688)
-// invNQ1_final_R2modQ1_prime_half = (invNQ1_final_R2modQ1 / 2) (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1_final_R2modQ1_prime_half (-75523344)
-// invNQ1_final_R2modQ1_doubleprime = (invNQ1_final_R2modQ1_prime Q1 - invNQ1_final_R2modQ1) / 2^32
-#define invNQ1_final_R2modQ1_doubleprime (-294725)
-
-// RmodQ1_prime = -(RmodQ1 + Q1) Q1prime mod^{+-} 2^32
-#define RmodQ1_prime 512
-// RmodQ1_prime_half = ( -(RmodQ1 + Q1) / 2) Q1prime mod^{+-} 2^32
-#define RmodQ1_prime_half 256
-// RmodQ1_doubleprime = (RmodQ1_prime Q1 - RmodQ1_prime ) / 2^32
-#define RmodQ1_doubleprime 1
-
-#endif
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_top
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_top
-PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_top:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_top:
-
- push_all
- Q .req w20
- src0 .req x0
- src1 .req x1
- src2 .req x2
- src3 .req x3
- src4 .req x4
- src5 .req x5
- src6 .req x6
- src7 .req x7
- src8 .req x8
- src9 .req x9
- src10 .req x10
- src11 .req x11
- src12 .req x12
- src13 .req x13
- src14 .req x14
- src15 .req x15
- table .req x28
- counter .req x19
-
- ldr Q, [x2]
-
- mov table, x1
-
- add src1, src0, #64
- add src2, src0, #128
-
- add src3, src0, #192
- add src4, src0, #256
-
- add src5, src0, #320
- add src6, src0, #384
-
- add src7, src0, #448
- add src8, src0, #512
-
- add src9, src0, #576
- add src10, src0, #640
-
- add src11, src0, #704
- add src12, src0, #768
-
- add src13, src0, #832
- add src14, src0, #896
-
- add src15, src0, #960
-
- ld1 {v20.4S, v21.4S, v22.4S, v23.4S}, [table], #64
- ld1 {v24.4S, v25.4S, v26.4S, v27.4S}, [table], #64
-
- mov v20.S[0], Q
-
- ld1 { v1.4S}, [ src1]
- ld1 { v3.4S}, [ src3]
- ld1 { v5.4S}, [ src5]
- ld1 { v7.4S}, [ src7]
- ld1 { v9.4S}, [ src9]
- ld1 {v11.4S}, [src11]
- ld1 {v13.4S}, [src13]
- ld1 {v15.4S}, [src15]
-
- ld1 { v0.4S}, [ src0]
- ld1 { v2.4S}, [ src2]
- ld1 { v4.4S}, [ src4]
- ld1 { v6.4S}, [ src6]
- ld1 { v8.4S}, [ src8]
- ld1 {v10.4S}, [src10]
- ld1 {v12.4S}, [src12]
- ld1 {v14.4S}, [src14]
-
- qq_butterfly_top v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_bot v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
-
- mov counter, #3
- _ntt_top_loop:
-
- st1 { v1.4S}, [ src1], #16
- ld1 { v1.4S}, [ src1]
- st1 { v3.4S}, [ src3], #16
- ld1 { v3.4S}, [ src3]
- st1 { v5.4S}, [ src5], #16
- ld1 { v5.4S}, [ src5]
- st1 { v7.4S}, [ src7], #16
- ld1 { v7.4S}, [ src7]
- st1 { v9.4S}, [ src9], #16
- ld1 { v9.4S}, [ src9]
- st1 {v11.4S}, [src11], #16
- ld1 {v11.4S}, [src11]
- st1 {v13.4S}, [src13], #16
- ld1 {v13.4S}, [src13]
- st1 {v15.4S}, [src15], #16
- ld1 {v15.4S}, [src15]
-
- st1 { v0.4S}, [ src0], #16
- ld1 { v0.4S}, [ src0]
- st1 { v2.4S}, [ src2], #16
- ld1 { v2.4S}, [ src2]
- st1 { v4.4S}, [ src4], #16
- ld1 { v4.4S}, [ src4]
- st1 { v6.4S}, [ src6], #16
- ld1 { v6.4S}, [ src6]
- st1 { v8.4S}, [ src8], #16
- ld1 { v8.4S}, [ src8]
- st1 {v10.4S}, [src10], #16
- ld1 {v10.4S}, [src10]
- st1 {v12.4S}, [src12], #16
- ld1 {v12.4S}, [src12]
- st1 {v14.4S}, [src14], #16
- ld1 {v14.4S}, [src14]
-
- qq_butterfly_top v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_bot v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
-
- sub counter, counter, #1
- cbnz counter, _ntt_top_loop
-
- st1 { v1.4S}, [ src1], #16
- st1 { v3.4S}, [ src3], #16
- st1 { v5.4S}, [ src5], #16
- st1 { v7.4S}, [ src7], #16
- st1 { v9.4S}, [ src9], #16
- st1 {v11.4S}, [src11], #16
- st1 {v13.4S}, [src13], #16
- st1 {v15.4S}, [src15], #16
-
- st1 { v0.4S}, [ src0], #16
- st1 { v2.4S}, [ src2], #16
- st1 { v4.4S}, [ src4], #16
- st1 { v6.4S}, [ src6], #16
- st1 { v8.4S}, [ src8], #16
- st1 {v10.4S}, [src10], #16
- st1 {v12.4S}, [src12], #16
- st1 {v14.4S}, [src14], #16
-
- .unreq Q
- .unreq src0
- .unreq src1
- .unreq src2
- .unreq src3
- .unreq src4
- .unreq src5
- .unreq src6
- .unreq src7
- .unreq src8
- .unreq src9
- .unreq src10
- .unreq src11
- .unreq src12
- .unreq src13
- .unreq src14
- .unreq src15
- .unreq table
- .unreq counter
- pop_all
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_bot
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_bot
-PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_bot:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_bot:
-
- push_all
- Q .req w20
- src0 .req x0
- des0 .req x1
- src1 .req x2
- des1 .req x3
- table0 .req x28
- table1 .req x27
- counter .req x19
-
- ldr Q, [x2]
-
- add table0, x1, #128
- add table1, table0, #1024
-
- add src1, src0, #512
-
- add des0, src0, #0
- add des1, src0, #512
-
- mov counter, #8
- _ntt_bot_loop:
-
- ld1 { v0.4S, v1.4S, v2.4S, v3.4S}, [src0], #64
- ld1 { v16.4S, v17.4S, v18.4S, v19.4S}, [src1], #64
-
- ld1 { v4.4S, v5.4S}, [table0], #32
- ld2 { v6.4S, v7.4S}, [table0], #32
- ld4 { v8.4S, v9.4S, v10.4S, v11.4S}, [table0], #64
- ld1 { v20.4S, v21.4S}, [table1], #32
- ld2 { v22.4S, v23.4S}, [table1], #32
- ld4 { v24.4S, v25.4S, v26.4S, v27.4S}, [table1], #64
-
- mov v4.S[0], Q
-
- dq_butterfly_top v0, v1, v2, v3, v12, v13, v4, v4, 2, 3, v4, 2, 3
- dq_butterfly_mixed v0, v1, v2, v3, v12, v13, v16, v17, v18, v19, v28, v29, v4, v4, 2, 3, v4, 2, 3, v20, 2, 3, v20, 2, 3
- dq_butterfly_mixed v16, v17, v18, v19, v28, v29, v0, v2, v1, v3, v12, v13, v4, v20, 2, 3, v20, 2, 3, v5, 0, 1, v5, 2, 3
- dq_butterfly_mixed v0, v2, v1, v3, v12, v13, v16, v18, v17, v19, v28, v29, v4, v5, 0, 1, v5, 2, 3, v21, 0, 1, v21, 2, 3
- dq_butterfly_bot v16, v18, v17, v19, v28, v29, v4, v21, 0, 1, v21, 2, 3
-
- trn_4x4 v0, v1, v2, v3, v12, v13, v14, v15
- trn_4x4 v16, v17, v18, v19, v28, v29, v30, v31
-
- dq_butterfly_vec_top v0, v1, v2, v3, v12, v13, v4, v6, v7, v6, v7
- dq_butterfly_vec_mixed v0, v1, v2, v3, v12, v13, v16, v17, v18, v19, v28, v29, v4, v6, v7, v6, v7, v22, v23, v22, v23
- dq_butterfly_vec_mixed v16, v17, v18, v19, v28, v29, v0, v2, v1, v3, v12, v13, v4, v22, v23, v22, v23, v8, v9, v10, v11
- dq_butterfly_vec_mixed v0, v2, v1, v3, v12, v13, v16, v18, v17, v19, v28, v29, v4, v8, v9, v10, v11, v24, v25, v26, v27
- dq_butterfly_vec_bot v16, v18, v17, v19, v28, v29, v4, v24, v25, v26, v27
-
- st4 { v0.4S, v1.4S, v2.4S, v3.4S}, [des0], #64
- st4 { v16.4S, v17.4S, v18.4S, v19.4S}, [des1], #64
-
- sub counter, counter, #1
- cbnz counter, _ntt_bot_loop
-
- .unreq Q
- .unreq src0
- .unreq des0
- .unreq src1
- .unreq des1
- .unreq table0
- .unreq table1
- .unreq counter
- pop_all
-
- br lr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_top
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_top
-PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_top:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_top:
-
- push_all
- Q .req w20
- Qhalf .req w21
- nQhalf .req w22
- invNR2ph .req w24
- invNR2dp .req w25
- invNWR2ph .req w26
- invNWR2dp .req w27
- src0 .req x0
- src1 .req x1
- src2 .req x2
- src3 .req x3
- src4 .req x4
- src5 .req x5
- src6 .req x6
- src7 .req x7
- src8 .req x8
- src9 .req x9
- src10 .req x10
- src11 .req x11
- src12 .req x12
- src13 .req x13
- src14 .req x14
- src15 .req x15
- table .req x28
- counter .req x19
-
- ldr Q, [x2, #0]
- lsr Qhalf, Q, #1
- neg nQhalf, Qhalf
-
- ldr invNR2ph, [x2, #16]
- ldr invNR2dp, [x2, #20]
- ldr invNWR2ph, [x2, #24]
- ldr invNWR2dp, [x2, #28]
-
- mov table, x1
-
- add src1, src0, #64
- add src2, src0, #128
-
- add src3, src0, #192
- add src4, src0, #256
-
- add src5, src0, #320
- add src6, src0, #384
-
- add src7, src0, #448
- add src8, src0, #512
-
- add src9, src0, #576
- add src10, src0, #640
-
- add src11, src0, #704
- add src12, src0, #768
-
- add src13, src0, #832
- add src14, src0, #896
-
- add src15, src0, #960
-
- ld1 {v20.4S, v21.4S, v22.4S, v23.4S}, [table], #64
- ld1 {v24.4S, v25.4S, v26.4S, v27.4S}, [table], #64
-
- mov v20.S[0], Q
-
- ld1 { v0.4S}, [ src0]
- ld1 { v1.4S}, [ src1]
- ld1 { v2.4S}, [ src2]
- ld1 { v3.4S}, [ src3]
- ld1 { v4.4S}, [ src4]
- ld1 { v5.4S}, [ src5]
- ld1 { v6.4S}, [ src6]
- ld1 { v7.4S}, [ src7]
-
- ld1 { v8.4S}, [ src8]
- ld1 { v9.4S}, [ src9]
- ld1 {v10.4S}, [src10]
- ld1 {v11.4S}, [src11]
- ld1 {v12.4S}, [src12]
- ld1 {v13.4S}, [src13]
- ld1 {v14.4S}, [src14]
- ld1 {v15.4S}, [src15]
-
- qq_butterfly_bot v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed_rev v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_mixed_rev v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3
- qq_butterfly_mixed_rev v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v20, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3
- qq_butterfly_mixed_rev v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v20, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1
- qq_butterfly_mixed_rev v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
- qq_butterfly_top v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
-
- mov v20.S[2], invNWR2ph
- mov v20.S[3], invNWR2dp
-
- qq_sub_add v16, v17, v18, v19, v28, v29, v30, v31, v0, v2, v4, v6, v8, v10, v12, v14
- qq_sub_add v0, v2, v4, v6, v8, v10, v12, v14, v1, v3, v5, v7, v9, v11, v13, v15
-
- qq_montgomery_mul v9, v11, v13, v15, v8, v10, v12, v14, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- mov v20.S[2], invNR2ph
- mov v20.S[3], invNR2dp
-
- qq_montgomery_mul v1, v3, v5, v7, v0, v2, v4, v6, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v0, v2, v4, v6, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- dup v29.4S, Q
- dup v30.4S, Qhalf
- dup v31.4S, nQhalf
-
- cmge v18.4S, v31.4S, v0.4S
- cmge v19.4S, v31.4S, v1.4S
- cmge v16.4S, v0.4S, v30.4S
- cmge v17.4S, v1.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v0.4S, v16.4S, v29.4S
- mla v1.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v2.4S
- cmge v19.4S, v31.4S, v3.4S
- cmge v16.4S, v2.4S, v30.4S
- cmge v17.4S, v3.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v2.4S, v16.4S, v29.4S
- mla v3.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v4.4S
- cmge v19.4S, v31.4S, v5.4S
- cmge v16.4S, v4.4S, v30.4S
- cmge v17.4S, v5.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v4.4S, v16.4S, v29.4S
- mla v5.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v6.4S
- cmge v19.4S, v31.4S, v7.4S
- cmge v16.4S, v6.4S, v30.4S
- cmge v17.4S, v7.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v6.4S, v16.4S, v29.4S
- mla v7.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v8.4S
- cmge v19.4S, v31.4S, v9.4S
- cmge v16.4S, v8.4S, v30.4S
- cmge v17.4S, v9.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v8.4S, v16.4S, v29.4S
- mla v9.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v10.4S
- cmge v19.4S, v31.4S, v11.4S
- cmge v16.4S, v10.4S, v30.4S
- cmge v17.4S, v11.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v10.4S, v16.4S, v29.4S
- mla v11.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v12.4S
- cmge v19.4S, v31.4S, v13.4S
- cmge v16.4S, v12.4S, v30.4S
- cmge v17.4S, v13.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v12.4S, v16.4S, v29.4S
- mla v13.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v14.4S
- cmge v19.4S, v31.4S, v15.4S
- cmge v16.4S, v14.4S, v30.4S
- cmge v17.4S, v15.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v14.4S, v16.4S, v29.4S
- mla v15.4S, v17.4S, v29.4S
-
- mov counter, #3
- _intt_top_loop:
-
- st1 { v0.4S}, [ src0], #16
- ld1 { v0.4S}, [ src0]
- st1 { v1.4S}, [ src1], #16
- ld1 { v1.4S}, [ src1]
- st1 { v2.4S}, [ src2], #16
- ld1 { v2.4S}, [ src2]
- st1 { v3.4S}, [ src3], #16
- ld1 { v3.4S}, [ src3]
- st1 { v4.4S}, [ src4], #16
- ld1 { v4.4S}, [ src4]
- st1 { v5.4S}, [ src5], #16
- ld1 { v5.4S}, [ src5]
- st1 { v6.4S}, [ src6], #16
- ld1 { v6.4S}, [ src6]
- st1 { v7.4S}, [ src7], #16
- ld1 { v7.4S}, [ src7]
-
- st1 { v8.4S}, [ src8], #16
- ld1 { v8.4S}, [ src8]
- st1 { v9.4S}, [ src9], #16
- ld1 { v9.4S}, [ src9]
- st1 {v10.4S}, [src10], #16
- ld1 {v10.4S}, [src10]
- st1 {v11.4S}, [src11], #16
- ld1 {v11.4S}, [src11]
- st1 {v12.4S}, [src12], #16
- ld1 {v12.4S}, [src12]
- st1 {v13.4S}, [src13], #16
- ld1 {v13.4S}, [src13]
- st1 {v14.4S}, [src14], #16
- ld1 {v14.4S}, [src14]
- st1 {v15.4S}, [src15], #16
- ld1 {v15.4S}, [src15]
-
- qq_butterfly_bot v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed_rev v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_mixed_rev v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3
- qq_butterfly_mixed_rev v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v20, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3
- qq_butterfly_mixed_rev v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v20, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1
- qq_butterfly_mixed_rev v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
- qq_butterfly_top v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
-
- mov v20.S[2], invNWR2ph
- mov v20.S[3], invNWR2dp
-
- qq_sub_add v16, v17, v18, v19, v28, v29, v30, v31, v0, v2, v4, v6, v8, v10, v12, v14
- qq_sub_add v0, v2, v4, v6, v8, v10, v12, v14, v1, v3, v5, v7, v9, v11, v13, v15
-
- qq_montgomery_mul v9, v11, v13, v15, v8, v10, v12, v14, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- mov v20.S[2], invNR2ph
- mov v20.S[3], invNR2dp
-
- qq_montgomery_mul v1, v3, v5, v7, v0, v2, v4, v6, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v0, v2, v4, v6, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- dup v29.4S, Q
- dup v30.4S, Qhalf
- dup v31.4S, nQhalf
-
- cmge v18.4S, v31.4S, v0.4S
- cmge v19.4S, v31.4S, v1.4S
- cmge v16.4S, v0.4S, v30.4S
- cmge v17.4S, v1.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v0.4S, v16.4S, v29.4S
- mla v1.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v2.4S
- cmge v19.4S, v31.4S, v3.4S
- cmge v16.4S, v2.4S, v30.4S
- cmge v17.4S, v3.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v2.4S, v16.4S, v29.4S
- mla v3.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v4.4S
- cmge v19.4S, v31.4S, v5.4S
- cmge v16.4S, v4.4S, v30.4S
- cmge v17.4S, v5.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v4.4S, v16.4S, v29.4S
- mla v5.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v6.4S
- cmge v19.4S, v31.4S, v7.4S
- cmge v16.4S, v6.4S, v30.4S
- cmge v17.4S, v7.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v6.4S, v16.4S, v29.4S
- mla v7.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v8.4S
- cmge v19.4S, v31.4S, v9.4S
- cmge v16.4S, v8.4S, v30.4S
- cmge v17.4S, v9.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v8.4S, v16.4S, v29.4S
- mla v9.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v10.4S
- cmge v19.4S, v31.4S, v11.4S
- cmge v16.4S, v10.4S, v30.4S
- cmge v17.4S, v11.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v10.4S, v16.4S, v29.4S
- mla v11.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v12.4S
- cmge v19.4S, v31.4S, v13.4S
- cmge v16.4S, v12.4S, v30.4S
- cmge v17.4S, v13.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v12.4S, v16.4S, v29.4S
- mla v13.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v14.4S
- cmge v19.4S, v31.4S, v15.4S
- cmge v16.4S, v14.4S, v30.4S
- cmge v17.4S, v15.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v14.4S, v16.4S, v29.4S
- mla v15.4S, v17.4S, v29.4S
-
- sub counter, counter, #1
- cbnz counter, _intt_top_loop
-
- st1 { v0.4S}, [ src0], #16
- st1 { v1.4S}, [ src1], #16
- st1 { v2.4S}, [ src2], #16
- st1 { v3.4S}, [ src3], #16
- st1 { v4.4S}, [ src4], #16
- st1 { v5.4S}, [ src5], #16
- st1 { v6.4S}, [ src6], #16
- st1 { v7.4S}, [ src7], #16
-
- st1 { v8.4S}, [ src8], #16
- st1 { v9.4S}, [ src9], #16
- st1 {v10.4S}, [src10], #16
- st1 {v11.4S}, [src11], #16
- st1 {v12.4S}, [src12], #16
- st1 {v13.4S}, [src13], #16
- st1 {v14.4S}, [src14], #16
- st1 {v15.4S}, [src15], #16
-
- .unreq Q
- .unreq Qhalf
- .unreq nQhalf
- .unreq invNR2ph
- .unreq invNR2dp
- .unreq invNWR2ph
- .unreq invNWR2dp
- .unreq src0
- .unreq src1
- .unreq src2
- .unreq src3
- .unreq src4
- .unreq src5
- .unreq src6
- .unreq src7
- .unreq src8
- .unreq src9
- .unreq src10
- .unreq src11
- .unreq src12
- .unreq src13
- .unreq src14
- .unreq src15
- .unreq table
- .unreq counter
- pop_all
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_bot
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_bot
-PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_bot:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_bot:
-
- push_all
- Q .req w20
- RphRdp .req x21
- src0 .req x0
- des0 .req x1
- src1 .req x2
- des1 .req x3
- table0 .req x28
- table1 .req x27
- counter .req x19
-
- ldr Q, [x2]
- ldr RphRdp, [x2, #8]
-
- add table0, x1, #128
- add table1, table0, #1024
-
- add src1, src0, #512
-
- add des0, src0, #0
- add des1, src0, #512
-
- mov counter, #8
- _intt_bot_loop:
-
- ld4 { v0.4S, v1.4S, v2.4S, v3.4S}, [src0], #64
- ld4 { v16.4S, v17.4S, v18.4S, v19.4S}, [src1], #64
-
- ld1 { v4.4S, v5.4S}, [table0], #32
- ld2 { v6.4S, v7.4S}, [table0], #32
- ld4 { v8.4S, v9.4S, v10.4S, v11.4S}, [table0], #64
- ld1 { v20.4S, v21.4S}, [table1], #32
- ld2 { v22.4S, v23.4S}, [table1], #32
- ld4 { v24.4S, v25.4S, v26.4S, v27.4S}, [table1], #64
-
- mov v4.S[0], Q
- mov v20.D[0], RphRdp
-
- dq_butterfly_vec_bot v0, v2, v12, v13, v1, v3, v4, v8, v9, v10, v11
- dq_butterfly_vec_mixed_rev v0, v2, v12, v13, v1, v3, v16, v18, v28, v29, v17, v19, v4, v8, v9, v10, v11, v24, v25, v26, v27
- dq_butterfly_vec_mixed_rev v16, v18, v28, v29, v17, v19, v0, v1, v12, v13, v2, v3, v4, v24, v25, v26, v27, v6, v7, v6, v7
- dq_butterfly_vec_mixed_rev v0, v1, v12, v13, v2, v3, v16, v17, v28, v29, v18, v19, v4, v6, v7, v6, v7, v22, v23, v22, v23
- dq_butterfly_vec_top v16, v17, v28, v29, v18, v19, v4, v22, v23, v22, v23
-
- trn_4x4 v0, v1, v2, v3, v12, v13, v14, v15
- trn_4x4 v16, v17, v18, v19, v28, v29, v30, v31
-
- dq_butterfly_bot v0, v2, v12, v13, v1, v3, v4, v5, 0, 1, v5, 2, 3
- dq_butterfly_mixed_rev v0, v2, v12, v13, v1, v3, v16, v18, v28, v29, v17, v19, v4, v5, 0, 1, v5, 2, 3, v21, 0, 1, v21, 2, 3
- dq_butterfly_mixed_rev v16, v18, v28, v29, v17, v19, v0, v1, v12, v13, v2, v3, v4, v21, 0, 1, v21, 2, 3, v4, 2, 3, v4, 2, 3
- dq_butterfly_mixed_rev v0, v1, v12, v13, v2, v3, v16, v17, v28, v29, v18, v19, v4, v4, 2, 3, v4, 2, 3, v20, 2, 3, v20, 2, 3
- dq_butterfly_top v16, v17, v28, v29, v18, v19, v4, v20, 2, 3, v20, 2, 3
-
- srshr v14.4S, v0.4S, #23
- srshr v15.4S, v1.4S, #23
- srshr v30.4S, v16.4S, #23
- srshr v31.4S, v17.4S, #23
-
- mls v0.4S, v14.4S, v4.S[0]
- mls v1.4S, v15.4S, v4.S[0]
- mls v16.4S, v30.4S, v4.S[0]
- mls v17.4S, v31.4S, v4.S[0]
-
- st1 { v0.4S, v1.4S, v2.4S, v3.4S}, [des0], #64
- st1 { v16.4S, v17.4S, v18.4S, v19.4S}, [des1], #64
-
- sub counter, counter, #1
- cbnz counter, _intt_bot_loop
-
- .unreq Q
- .unreq RphRdp
- .unreq src0
- .unreq des0
- .unreq src1
- .unreq des1
- .unreq table0
- .unreq table1
- .unreq counter
- pop_all
-
- br lr
-
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-#include "params.h"
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_10_to_32
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_10_to_32
-PQCLEAN_DILITHIUM2_AARCH64__asm_10_to_32:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_10_to_32:
-
- mov x7, #16
- _10_to_32_loop:
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #10
- str w3, [x0], #4
- ubfx w4, w2, #10, #10
- str w4, [x0], #4
- ubfx w5, w2, #20, #10
- str w5, [x0], #4
- lsr w6, w2, #30
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #8
- lsl w3, w3, #2
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #8, #10
- str w4, [x0], #4
- ubfx w5, w2, #18, #10
- str w5, [x0], #4
- lsr w6, w2, #28
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #6
- lsl w3, w3, #4
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #6, #10
- str w4, [x0], #4
- ubfx w5, w2, #16, #10
- str w5, [x0], #4
- lsr w6, w2, #26
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #4
- lsl w3, w3, #6
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #4, #10
- str w4, [x0], #4
- ubfx w5, w2, #14, #10
- str w5, [x0], #4
- lsr w6, w2, #24
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #2
- lsl w3, w3, #8
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #2, #10
- str w4, [x0], #4
- ubfx w5, w2, #12, #10
- str w5, [x0], #4
- ubfx w6, w2, #22, #10
- str w6, [x0], #4
-
- sub x7, x7, #1
- cbnz x7, _10_to_32_loop
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_reduce
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_reduce
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_reduce:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_reduce:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #7
- _poly_reduce_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_reduce_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_caddq
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_caddq
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_caddq:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_caddq:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- sshr v16.4S, v0.4S, #31
- ld1 { v5.4S}, [x1], #16
- sshr v17.4S, v1.4S, #31
- ld1 { v6.4S}, [x1], #16
- sshr v18.4S, v2.4S, #31
- ld1 { v7.4S}, [x1], #16
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #7
- _poly_caddq_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- sshr v16.4S, v0.4S, #31
- ld1 { v5.4S}, [x1], #16
- sshr v17.4S, v1.4S, #31
- ld1 { v6.4S}, [x1], #16
- sshr v18.4S, v2.4S, #31
- ld1 { v7.4S}, [x1], #16
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_caddq_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_freeze
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_freeze
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_freeze:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_freeze:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- sshr v16.4S, v0.4S, #31
- mls v5.4S, v21.4S, v24.4S
- sshr v17.4S, v1.4S, #31
- mls v6.4S, v22.4S, v24.4S
- sshr v18.4S, v2.4S, #31
- mls v7.4S, v23.4S, v24.4S
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #8
- _poly_freeze_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- sshr v16.4S, v0.4S, #31
- mls v5.4S, v21.4S, v24.4S
- sshr v17.4S, v1.4S, #31
- mls v6.4S, v22.4S, v24.4S
- sshr v18.4S, v2.4S, #31
- mls v7.4S, v23.4S, v24.4S
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_freeze_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_power2round
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_power2round
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_power2round:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_power2round:
-
- mov w4, #1
-
- dup v28.4S, w4
-
- ld1 { v0.4S}, [x2], #16
- ld1 { v1.4S}, [x2], #16
- ld1 { v2.4S}, [x2], #16
- ld1 { v3.4S}, [x2], #16
-
- ld1 {v20.4S}, [x2], #16
- sub v4.4S, v0.4S, v28.4S
- ld1 {v21.4S}, [x2], #16
- sub v5.4S, v1.4S, v28.4S
- ld1 {v22.4S}, [x2], #16
- sub v6.4S, v2.4S, v28.4S
- ld1 {v23.4S}, [x2], #16
- sub v7.4S, v3.4S, v28.4S
-
- sub v24.4S, v20.4S, v28.4S
- srshr v16.4S, v4.4S, #13
- sub v25.4S, v21.4S, v28.4S
- srshr v17.4S, v5.4S, #13
- sub v26.4S, v22.4S, v28.4S
- srshr v18.4S, v6.4S, #13
- sub v27.4S, v23.4S, v28.4S
- srshr v19.4S, v7.4S, #13
-
- srshr v28.4S, v24.4S, #13
- st1 {v16.4S}, [x0], #16
- srshr v29.4S, v25.4S, #13
- st1 {v17.4S}, [x0], #16
- srshr v30.4S, v26.4S, #13
- st1 {v18.4S}, [x0], #16
- srshr v31.4S, v27.4S, #13
- st1 {v19.4S}, [x0], #16
-
- st1 {v28.4S}, [x0], #16
- shl v4.4S, v16.4S, #13
- st1 {v29.4S}, [x0], #16
- shl v5.4S, v17.4S, #13
- st1 {v30.4S}, [x0], #16
- shl v6.4S, v18.4S, #13
- st1 {v31.4S}, [x0], #16
- shl v7.4S, v19.4S, #13
-
- shl v24.4S, v28.4S, #13
- sub v16.4S, v0.4S, v4.4S
- shl v25.4S, v29.4S, #13
- sub v17.4S, v1.4S, v5.4S
- shl v26.4S, v30.4S, #13
- sub v18.4S, v2.4S, v6.4S
- shl v27.4S, v31.4S, #13
- sub v19.4S, v3.4S, v7.4S
-
- sub v28.4S, v20.4S, v24.4S
- st1 {v16.4S}, [x1], #16
- sub v29.4S, v21.4S, v25.4S
- st1 {v17.4S}, [x1], #16
- sub v30.4S, v22.4S, v26.4S
- st1 {v18.4S}, [x1], #16
- sub v31.4S, v23.4S, v27.4S
- st1 {v19.4S}, [x1], #16
-
- mov x16, #7
- _poly_power2round_loop:
-
- st1 {v28.4S}, [x1], #16
- dup v28.4S, w4
- ld1 { v0.4S}, [x2], #16
- st1 {v29.4S}, [x1], #16
- ld1 { v1.4S}, [x2], #16
- st1 {v30.4S}, [x1], #16
- ld1 { v2.4S}, [x2], #16
- st1 {v31.4S}, [x1], #16
- ld1 { v3.4S}, [x2], #16
-
- ld1 {v20.4S}, [x2], #16
- sub v4.4S, v0.4S, v28.4S
- ld1 {v21.4S}, [x2], #16
- sub v5.4S, v1.4S, v28.4S
- ld1 {v22.4S}, [x2], #16
- sub v6.4S, v2.4S, v28.4S
- ld1 {v23.4S}, [x2], #16
- sub v7.4S, v3.4S, v28.4S
-
- sub v24.4S, v20.4S, v28.4S
- srshr v16.4S, v4.4S, #13
- sub v25.4S, v21.4S, v28.4S
- srshr v17.4S, v5.4S, #13
- sub v26.4S, v22.4S, v28.4S
- srshr v18.4S, v6.4S, #13
- sub v27.4S, v23.4S, v28.4S
- srshr v19.4S, v7.4S, #13
-
- srshr v28.4S, v24.4S, #13
- st1 {v16.4S}, [x0], #16
- srshr v29.4S, v25.4S, #13
- st1 {v17.4S}, [x0], #16
- srshr v30.4S, v26.4S, #13
- st1 {v18.4S}, [x0], #16
- srshr v31.4S, v27.4S, #13
- st1 {v19.4S}, [x0], #16
-
- st1 {v28.4S}, [x0], #16
- shl v4.4S, v16.4S, #13
- st1 {v29.4S}, [x0], #16
- shl v5.4S, v17.4S, #13
- st1 {v30.4S}, [x0], #16
- shl v6.4S, v18.4S, #13
- st1 {v31.4S}, [x0], #16
- shl v7.4S, v19.4S, #13
-
- shl v24.4S, v28.4S, #13
- sub v16.4S, v0.4S, v4.4S
- shl v25.4S, v29.4S, #13
- sub v17.4S, v1.4S, v5.4S
- shl v26.4S, v30.4S, #13
- sub v18.4S, v2.4S, v6.4S
- shl v27.4S, v31.4S, #13
- sub v19.4S, v3.4S, v7.4S
-
- sub v28.4S, v20.4S, v24.4S
- st1 {v16.4S}, [x1], #16
- sub v29.4S, v21.4S, v25.4S
- st1 {v17.4S}, [x1], #16
- sub v30.4S, v22.4S, v26.4S
- st1 {v18.4S}, [x1], #16
- sub v31.4S, v23.4S, v27.4S
- st1 {v19.4S}, [x1], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_power2round_loop
-
- st1 {v28.4S}, [x1], #16
- st1 {v29.4S}, [x1], #16
- st1 {v30.4S}, [x1], #16
- st1 {v31.4S}, [x1], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_add
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_add
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_add:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_add:
-
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- add v16.4S, v0.4S, v4.4S
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- add v17.4S, v1.4S, v5.4S
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- add v18.4S, v2.4S, v6.4S
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- add v19.4S, v3.4S, v7.4S
-
- mov x16, #15
- _poly_add_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- add v16.4S, v0.4S, v4.4S
- st1 {v17.4S}, [x0], #16
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- add v17.4S, v1.4S, v5.4S
- st1 {v18.4S}, [x0], #16
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- add v18.4S, v2.4S, v6.4S
- st1 {v19.4S}, [x0], #16
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- add v19.4S, v3.4S, v7.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_add_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_sub
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_sub
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_sub:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_sub:
-
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- sub v16.4S, v0.4S, v4.4S
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- sub v17.4S, v1.4S, v5.4S
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- sub v18.4S, v2.4S, v6.4S
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- sub v19.4S, v3.4S, v7.4S
-
- mov x16, #15
- _poly_sub_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- sub v16.4S, v0.4S, v4.4S
- st1 {v17.4S}, [x0], #16
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- sub v17.4S, v1.4S, v5.4S
- st1 {v18.4S}, [x0], #16
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- sub v18.4S, v2.4S, v6.4S
- st1 {v19.4S}, [x0], #16
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- sub v19.4S, v3.4S, v7.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_sub_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_shiftl
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_shiftl
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_shiftl:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_shiftl:
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- shl v16.4S, v0.4S, #13
- ld1 { v1.4S}, [x1], #16
- shl v17.4S, v1.4S, #13
- ld1 { v2.4S}, [x1], #16
- shl v18.4S, v2.4S, #13
- ld1 { v3.4S}, [x1], #16
- shl v19.4S, v3.4S, #13
- ld1 { v4.4S}, [x1], #16
- shl v20.4S, v4.4S, #13
- ld1 { v5.4S}, [x1], #16
- shl v21.4S, v5.4S, #13
- ld1 { v6.4S}, [x1], #16
- shl v22.4S, v6.4S, #13
- ld1 { v7.4S}, [x1], #16
- shl v23.4S, v7.4S, #13
-
- mov x16, #7
- _poly_shiftl_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- shl v16.4S, v0.4S, #13
- st1 {v17.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- shl v17.4S, v1.4S, #13
- st1 {v18.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- shl v18.4S, v2.4S, #13
- st1 {v19.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
- shl v19.4S, v3.4S, #13
- st1 {v20.4S}, [x0], #16
- ld1 { v4.4S}, [x1], #16
- shl v20.4S, v4.4S, #13
- st1 {v21.4S}, [x0], #16
- ld1 { v5.4S}, [x1], #16
- shl v21.4S, v5.4S, #13
- st1 {v22.4S}, [x0], #16
- ld1 { v6.4S}, [x1], #16
- shl v22.4S, v6.4S, #13
- st1 {v23.4S}, [x0], #16
- ld1 { v7.4S}, [x1], #16
- shl v23.4S, v7.4S, #13
-
- sub x16, x16, #1
- cbnz x16, _poly_shiftl_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
- st1 {v20.4S}, [x0], #16
- st1 {v21.4S}, [x0], #16
- st1 {v22.4S}, [x0], #16
- st1 {v23.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_poly_pointwise_montgomery
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_poly_pointwise_montgomery
-PQCLEAN_DILITHIUM2_AARCH64__asm_poly_pointwise_montgomery:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_poly_pointwise_montgomery:
-
- push_all
-
- ldr w20, [x3, #0]
- ldr w21, [x3, #4]
-
- dup v30.4S, w20
- dup v31.4S, w21
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- mov x16, #15
- _poly_pointwise_montgomery_loop:
-
- st1 {v24.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 {v25.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 {v26.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 {v27.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_pointwise_montgomery_loop
-
- st1 {v24.4S}, [x0], #16
- st1 {v25.4S}, [x0], #16
- st1 {v26.4S}, [x0], #16
- st1 {v27.4S}, [x0], #16
-
- pop_all
-
- br lr
-
-
-.align 2
-.global PQCLEAN_DILITHIUM2_AARCH64__asm_polyvecl_pointwise_acc_montgomery
-.global _PQCLEAN_DILITHIUM2_AARCH64__asm_polyvecl_pointwise_acc_montgomery
-PQCLEAN_DILITHIUM2_AARCH64__asm_polyvecl_pointwise_acc_montgomery:
-_PQCLEAN_DILITHIUM2_AARCH64__asm_polyvecl_pointwise_acc_montgomery:
-
- push_all
-
- ldr w20, [x3, #0]
- ldr w21, [x3, #4]
-
- add x5, x1, #1024*1
- add x6, x2, #1024*1
-
- add x7, x1, #1024*2
- add x8, x2, #1024*2
-
- add x9, x1, #1024*3
- add x10, x2, #1024*3
-
-#if L > 4
- add x11, x1, #1024*4
- add x12, x2, #1024*4
-#endif
-
-#if L > 5
- add x13, x11, #1024*1
- add x14, x12, #1024*1
-
- add x15, x11, #1024*2
- add x19, x12, #1024*2
-#endif
-
- dup v30.4S, w20
- dup v31.4S, w21
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x5], #16
- ld1 { v4.4S}, [ x6], #16
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x5], #16
- ld1 { v5.4S}, [ x6], #16
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x5], #16
- ld1 { v6.4S}, [ x6], #16
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x5], #16
- ld1 { v7.4S}, [ x6], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x7], #16
- ld1 { v4.4S}, [ x8], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x7], #16
- ld1 { v5.4S}, [ x8], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x7], #16
- ld1 { v6.4S}, [ x8], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x7], #16
- ld1 { v7.4S}, [ x8], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x9], #16
- ld1 { v4.4S}, [x10], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x9], #16
- ld1 { v5.4S}, [x10], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x9], #16
- ld1 { v6.4S}, [x10], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x9], #16
- ld1 { v7.4S}, [x10], #16
-
-#if L > 4
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x11], #16
- ld1 { v4.4S}, [x12], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x11], #16
- ld1 { v5.4S}, [x12], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x11], #16
- ld1 { v6.4S}, [x12], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x11], #16
- ld1 { v7.4S}, [x12], #16
-#endif
-
-#if L > 5
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x13], #16
- ld1 { v4.4S}, [x14], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x13], #16
- ld1 { v5.4S}, [x14], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x13], #16
- ld1 { v6.4S}, [x14], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x13], #16
- ld1 { v7.4S}, [x14], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x15], #16
- ld1 { v4.4S}, [x19], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x15], #16
- ld1 { v5.4S}, [x19], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x15], #16
- ld1 { v6.4S}, [x19], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x15], #16
- ld1 { v7.4S}, [x19], #16
-#endif
-
- mov x16, #15
- _polyvecl_pointwise_acc_montgomery_loop:
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- ld1 { v0.4S}, [x1], #16
- uzp1 v21.4S, v13.4S, v17.4S
- ld1 { v1.4S}, [x1], #16
- uzp1 v22.4S, v14.4S, v18.4S
- ld1 { v2.4S}, [x1], #16
- uzp1 v23.4S, v15.4S, v19.4S
- ld1 { v3.4S}, [x1], #16
-
- mul v24.4S, v20.4S, v31.4S
- ld1 { v4.4S}, [x2], #16
- mul v25.4S, v21.4S, v31.4S
- ld1 { v5.4S}, [x2], #16
- mul v26.4S, v22.4S, v31.4S
- ld1 { v6.4S}, [x2], #16
- mul v27.4S, v23.4S, v31.4S
- ld1 { v7.4S}, [x2], #16
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x5], #16
- st1 {v24.4S}, [x0], #16
- ld1 { v4.4S}, [ x6], #16
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x5], #16
- st1 {v25.4S}, [x0], #16
- ld1 { v5.4S}, [ x6], #16
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x5], #16
- st1 {v26.4S}, [x0], #16
- ld1 { v6.4S}, [ x6], #16
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x5], #16
- st1 {v27.4S}, [x0], #16
- ld1 { v7.4S}, [ x6], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x7], #16
- ld1 { v4.4S}, [ x8], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x7], #16
- ld1 { v5.4S}, [ x8], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x7], #16
- ld1 { v6.4S}, [ x8], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x7], #16
- ld1 { v7.4S}, [ x8], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x9], #16
- ld1 { v4.4S}, [x10], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x9], #16
- ld1 { v5.4S}, [x10], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x9], #16
- ld1 { v6.4S}, [x10], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x9], #16
- ld1 { v7.4S}, [x10], #16
-
-#if L > 4
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x11], #16
- ld1 { v4.4S}, [x12], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x11], #16
- ld1 { v5.4S}, [x12], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x11], #16
- ld1 { v6.4S}, [x12], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x11], #16
- ld1 { v7.4S}, [x12], #16
-#endif
-
-#if L > 5
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x13], #16
- ld1 { v4.4S}, [x14], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x13], #16
- ld1 { v5.4S}, [x14], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x13], #16
- ld1 { v6.4S}, [x14], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x13], #16
- ld1 { v7.4S}, [x14], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x15], #16
- ld1 { v4.4S}, [x19], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x15], #16
- ld1 { v5.4S}, [x19], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x15], #16
- ld1 { v6.4S}, [x19], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x15], #16
- ld1 { v7.4S}, [x19], #16
-#endif
-
- sub x16, x16, #1
- cbnz x16, _polyvecl_pointwise_acc_montgomery_loop
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- st1 {v24.4S}, [x0], #16
- st1 {v25.4S}, [x0], #16
- st1 {v26.4S}, [x0], #16
- st1 {v27.4S}, [x0], #16
-
- pop_all
-
- br lr
-
-
-
-
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PQCLEAN_DILITHIUM2_AARCH64_API_H
-#define PQCLEAN_DILITHIUM2_AARCH64_API_H
-
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define PQCLEAN_DILITHIUM2_AARCH64_CRYPTO_PUBLICKEYBYTES 1312
-#define PQCLEAN_DILITHIUM2_AARCH64_CRYPTO_SECRETKEYBYTES 2528
-#define PQCLEAN_DILITHIUM2_AARCH64_CRYPTO_BYTES 2420
-#define PQCLEAN_DILITHIUM2_AARCH64_CRYPTO_ALGNAME "Dilithium2"
-
-int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_signature(
- uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_verify(
- const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign(
- uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_open(
- uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen, const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-
-/*
-MIT License
-
-Copyright (c) 2020 Bas Westerbaan
-Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-*/
-
-#if (__APPLE__ && __ARM_FEATURE_CRYPTO) || (__ARM_FEATURE_SHA3)
-
-.macro round
- ; Execute theta, but without xoring into the state yet.
- ; Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- rax1.2d v30, v29, v26 ; d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v29, v27, v29 ; d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v27, v25, v27 ; d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v25, v28, v25 ; d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v28, v26, v28 ; d[2] = rotl(p[3], 1) ^ p[1]
-
- ; Xor parities from step theta into the state at the same time
- ; as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- ; Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- ; iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global PQCLEAN_DILITHIUM2_AARCH64_f1600x2
-.global _PQCLEAN_DILITHIUM2_AARCH64_f1600x2
-PQCLEAN_DILITHIUM2_AARCH64_f1600x2:
-_PQCLEAN_DILITHIUM2_AARCH64_f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * at https://github.com/GMUCERG/PQC_NEON/blob/main/neon/kyber or
- * public domain at https://github.com/cothan/kyber/blob/master/neon
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License for this file.
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include <arm_neon.h>
-#include <stddef.h>
-#include "fips202x2.h"
-
-
-#define NROUNDS 24
-
-// Define NEON operation
-// c = load(ptr)
-#define vload(ptr) vld1q_u64(ptr);
-// ptr <= c;
-#define vstore(ptr, c) vst1q_u64(ptr, c);
-// c = a ^ b
-#define vxor(c, a, b) c = veorq_u64(a, b);
-// Rotate by n bit ((a << offset) ^ (a >> (64-offset)))
-#define vROL(out, a, offset) \
- (out) = vshlq_n_u64(a, offset); \
- (out) = vsriq_n_u64(out, a, 64 - (offset));
-// Xor chain: out = a ^ b ^ c ^ d ^ e
-#define vXOR4(out, a, b, c, d, e) \
- (out) = veorq_u64(a, b); \
- (out) = veorq_u64(out, c); \
- (out) = veorq_u64(out, d); \
- (out) = veorq_u64(out, e);
-// Not And c = ~a & b
-// #define vbic(c, a, b) c = vbicq_u64(b, a);
-// Xor Not And: out = a ^ ( (~b) & c)
-#define vXNA(out, a, b, c) \
- (out) = vbicq_u64(c, b); \
- (out) = veorq_u64(out, a);
-// Rotate by 1 bit, then XOR: a ^ ROL(b): SHA1 instruction, not support
-#define vrxor(c, a, b) c = vrax1q_u64(a, b);
-// End Define
-
-/* Keccak round constants */
-static const uint64_t neon_KeccakF_RoundConstants[NROUNDS] = {
- (uint64_t)0x0000000000000001ULL,
- (uint64_t)0x0000000000008082ULL,
- (uint64_t)0x800000000000808aULL,
- (uint64_t)0x8000000080008000ULL,
- (uint64_t)0x000000000000808bULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008009ULL,
- (uint64_t)0x000000000000008aULL,
- (uint64_t)0x0000000000000088ULL,
- (uint64_t)0x0000000080008009ULL,
- (uint64_t)0x000000008000000aULL,
- (uint64_t)0x000000008000808bULL,
- (uint64_t)0x800000000000008bULL,
- (uint64_t)0x8000000000008089ULL,
- (uint64_t)0x8000000000008003ULL,
- (uint64_t)0x8000000000008002ULL,
- (uint64_t)0x8000000000000080ULL,
- (uint64_t)0x000000000000800aULL,
- (uint64_t)0x800000008000000aULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008080ULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008008ULL
-};
-
-/*************************************************
-* Name: KeccakF1600_StatePermutex2
-*
-* Description: The Keccak F1600 Permutation
-*
-* Arguments: - uint64_t *state: pointer to input/output Keccak state
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64_f1600x2(v128*, const uint64_t*);
-static inline
-void KeccakF1600_StatePermutex2(v128 state[25])
-{
-#if (__APPLE__ && __ARM_FEATURE_CRYPTO) || (__ARM_FEATURE_SHA3) /* although not sure what is being implemented, we find something fast */
- PQCLEAN_DILITHIUM2_AARCH64_f1600x2(state, neon_KeccakF_RoundConstants);
-#else
- v128 Aba, Abe, Abi, Abo, Abu;
- v128 Aga, Age, Agi, Ago, Agu;
- v128 Aka, Ake, Aki, Ako, Aku;
- v128 Ama, Ame, Ami, Amo, Amu;
- v128 Asa, Ase, Asi, Aso, Asu;
- v128 BCa, BCe, BCi, BCo, BCu; // tmp
- v128 Da, De, Di, Do, Du; // D
- v128 Eba, Ebe, Ebi, Ebo, Ebu;
- v128 Ega, Ege, Egi, Ego, Egu;
- v128 Eka, Eke, Eki, Eko, Eku;
- v128 Ema, Eme, Emi, Emo, Emu;
- v128 Esa, Ese, Esi, Eso, Esu;
-
- //copyFromState(A, state)
- Aba = state[0];
- Abe = state[1];
- Abi = state[2];
- Abo = state[3];
- Abu = state[4];
- Aga = state[5];
- Age = state[6];
- Agi = state[7];
- Ago = state[8];
- Agu = state[9];
- Aka = state[10];
- Ake = state[11];
- Aki = state[12];
- Ako = state[13];
- Aku = state[14];
- Ama = state[15];
- Ame = state[16];
- Ami = state[17];
- Amo = state[18];
- Amu = state[19];
- Asa = state[20];
- Ase = state[21];
- Asi = state[22];
- Aso = state[23];
- Asu = state[24];
-
- for (int round = 0; round < NROUNDS; round += 2)
- {
- // prepareTheta
- vXOR4(BCa, Aba, Aga, Aka, Ama, Asa);
- vXOR4(BCe, Abe, Age, Ake, Ame, Ase);
- vXOR4(BCi, Abi, Agi, Aki, Ami, Asi);
- vXOR4(BCo, Abo, Ago, Ako, Amo, Aso);
- vXOR4(BCu, Abu, Agu, Aku, Amu, Asu);
-
- //thetaRhoPiChiIotaPrepareTheta(round , A, E)
- vROL(Da, BCe, 1);
- vxor(Da, BCu, Da);
- vROL(De, BCi, 1);
- vxor(De, BCa, De);
- vROL(Di, BCo, 1);
- vxor(Di, BCe, Di);
- vROL(Do, BCu, 1);
- vxor(Do, BCi, Do);
- vROL(Du, BCa, 1);
- vxor(Du, BCo, Du);
-
- vxor(Aba, Aba, Da);
- vxor(Age, Age, De);
- vROL(BCe, Age, 44);
- vxor(Aki, Aki, Di);
- vROL(BCi, Aki, 43);
- vxor(Amo, Amo, Do);
- vROL(BCo, Amo, 21);
- vxor(Asu, Asu, Du);
- vROL(BCu, Asu, 14);
- vXNA(Eba, Aba, BCe, BCi);
- vxor(Eba, Eba, vdupq_n_u64(neon_KeccakF_RoundConstants[round]));
- vXNA(Ebe, BCe, BCi, BCo);
- vXNA(Ebi, BCi, BCo, BCu);
- vXNA(Ebo, BCo, BCu, Aba);
- vXNA(Ebu, BCu, Aba, BCe);
-
- vxor(Abo, Abo, Do);
- vROL(BCa, Abo, 28);
- vxor(Agu, Agu, Du);
- vROL(BCe, Agu, 20);
- vxor(Aka, Aka, Da);
- vROL(BCi, Aka, 3);
- vxor(Ame, Ame, De);
- vROL(BCo, Ame, 45);
- vxor(Asi, Asi, Di);
- vROL(BCu, Asi, 61);
- vXNA(Ega, BCa, BCe, BCi);
- vXNA(Ege, BCe, BCi, BCo);
- vXNA(Egi, BCi, BCo, BCu);
- vXNA(Ego, BCo, BCu, BCa);
- vXNA(Egu, BCu, BCa, BCe);
-
- vxor(Abe, Abe, De);
- vROL(BCa, Abe, 1);
- vxor(Agi, Agi, Di);
- vROL(BCe, Agi, 6);
- vxor(Ako, Ako, Do);
- vROL(BCi, Ako, 25);
- vxor(Amu, Amu, Du);
- vROL(BCo, Amu, 8);
- vxor(Asa, Asa, Da);
- vROL(BCu, Asa, 18);
- vXNA(Eka, BCa, BCe, BCi);
- vXNA(Eke, BCe, BCi, BCo);
- vXNA(Eki, BCi, BCo, BCu);
- vXNA(Eko, BCo, BCu, BCa);
- vXNA(Eku, BCu, BCa, BCe);
-
- vxor(Abu, Abu, Du);
- vROL(BCa, Abu, 27);
- vxor(Aga, Aga, Da);
- vROL(BCe, Aga, 36);
- vxor(Ake, Ake, De);
- vROL(BCi, Ake, 10);
- vxor(Ami, Ami, Di);
- vROL(BCo, Ami, 15);
- vxor(Aso, Aso, Do);
- vROL(BCu, Aso, 56);
- vXNA(Ema, BCa, BCe, BCi);
- vXNA(Eme, BCe, BCi, BCo);
- vXNA(Emi, BCi, BCo, BCu);
- vXNA(Emo, BCo, BCu, BCa);
- vXNA(Emu, BCu, BCa, BCe);
-
- vxor(Abi, Abi, Di);
- vROL(BCa, Abi, 62);
- vxor(Ago, Ago, Do);
- vROL(BCe, Ago, 55);
- vxor(Aku, Aku, Du);
- vROL(BCi, Aku, 39);
- vxor(Ama, Ama, Da);
- vROL(BCo, Ama, 41);
- vxor(Ase, Ase, De);
- vROL(BCu, Ase, 2);
- vXNA(Esa, BCa, BCe, BCi);
- vXNA(Ese, BCe, BCi, BCo);
- vXNA(Esi, BCi, BCo, BCu);
- vXNA(Eso, BCo, BCu, BCa);
- vXNA(Esu, BCu, BCa, BCe);
-
- // Next Round
-
- // prepareTheta
- vXOR4(BCa, Eba, Ega, Eka, Ema, Esa);
- vXOR4(BCe, Ebe, Ege, Eke, Eme, Ese);
- vXOR4(BCi, Ebi, Egi, Eki, Emi, Esi);
- vXOR4(BCo, Ebo, Ego, Eko, Emo, Eso);
- vXOR4(BCu, Ebu, Egu, Eku, Emu, Esu);
-
- //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
- vROL(Da, BCe, 1);
- vxor(Da, BCu, Da);
- vROL(De, BCi, 1);
- vxor(De, BCa, De);
- vROL(Di, BCo, 1);
- vxor(Di, BCe, Di);
- vROL(Do, BCu, 1);
- vxor(Do, BCi, Do);
- vROL(Du, BCa, 1);
- vxor(Du, BCo, Du);
-
- vxor(Eba, Eba, Da);
- vxor(Ege, Ege, De);
- vROL(BCe, Ege, 44);
- vxor(Eki, Eki, Di);
- vROL(BCi, Eki, 43);
- vxor(Emo, Emo, Do);
- vROL(BCo, Emo, 21);
- vxor(Esu, Esu, Du);
- vROL(BCu, Esu, 14);
- vXNA(Aba, Eba, BCe, BCi);
- vxor(Aba, Aba, vdupq_n_u64(neon_KeccakF_RoundConstants[round + 1]));
- vXNA(Abe, BCe, BCi, BCo);
- vXNA(Abi, BCi, BCo, BCu);
- vXNA(Abo, BCo, BCu, Eba);
- vXNA(Abu, BCu, Eba, BCe);
-
- vxor(Ebo, Ebo, Do);
- vROL(BCa, Ebo, 28);
- vxor(Egu, Egu, Du);
- vROL(BCe, Egu, 20);
- vxor(Eka, Eka, Da);
- vROL(BCi, Eka, 3);
- vxor(Eme, Eme, De);
- vROL(BCo, Eme, 45);
- vxor(Esi, Esi, Di);
- vROL(BCu, Esi, 61);
- vXNA(Aga, BCa, BCe, BCi);
- vXNA(Age, BCe, BCi, BCo);
- vXNA(Agi, BCi, BCo, BCu);
- vXNA(Ago, BCo, BCu, BCa);
- vXNA(Agu, BCu, BCa, BCe);
-
- vxor(Ebe, Ebe, De);
- vROL(BCa, Ebe, 1);
- vxor(Egi, Egi, Di);
- vROL(BCe, Egi, 6);
- vxor(Eko, Eko, Do);
- vROL(BCi, Eko, 25);
- vxor(Emu, Emu, Du);
- vROL(BCo, Emu, 8);
- vxor(Esa, Esa, Da);
- vROL(BCu, Esa, 18);
- vXNA(Aka, BCa, BCe, BCi);
- vXNA(Ake, BCe, BCi, BCo);
- vXNA(Aki, BCi, BCo, BCu);
- vXNA(Ako, BCo, BCu, BCa);
- vXNA(Aku, BCu, BCa, BCe);
-
- vxor(Ebu, Ebu, Du);
- vROL(BCa, Ebu, 27);
- vxor(Ega, Ega, Da);
- vROL(BCe, Ega, 36);
- vxor(Eke, Eke, De);
- vROL(BCi, Eke, 10);
- vxor(Emi, Emi, Di);
- vROL(BCo, Emi, 15);
- vxor(Eso, Eso, Do);
- vROL(BCu, Eso, 56);
- vXNA(Ama, BCa, BCe, BCi);
- vXNA(Ame, BCe, BCi, BCo);
- vXNA(Ami, BCi, BCo, BCu);
- vXNA(Amo, BCo, BCu, BCa);
- vXNA(Amu, BCu, BCa, BCe);
-
- vxor(Ebi, Ebi, Di);
- vROL(BCa, Ebi, 62);
- vxor(Ego, Ego, Do);
- vROL(BCe, Ego, 55);
- vxor(Eku, Eku, Du);
- vROL(BCi, Eku, 39);
- vxor(Ema, Ema, Da);
- vROL(BCo, Ema, 41);
- vxor(Ese, Ese, De);
- vROL(BCu, Ese, 2);
- vXNA(Asa, BCa, BCe, BCi);
- vXNA(Ase, BCe, BCi, BCo);
- vXNA(Asi, BCi, BCo, BCu);
- vXNA(Aso, BCo, BCu, BCa);
- vXNA(Asu, BCu, BCa, BCe);
- }
-
- state[0] = Aba;
- state[1] = Abe;
- state[2] = Abi;
- state[3] = Abo;
- state[4] = Abu;
- state[5] = Aga;
- state[6] = Age;
- state[7] = Agi;
- state[8] = Ago;
- state[9] = Agu;
- state[10] = Aka;
- state[11] = Ake;
- state[12] = Aki;
- state[13] = Ako;
- state[14] = Aku;
- state[15] = Ama;
- state[16] = Ame;
- state[17] = Ami;
- state[18] = Amo;
- state[19] = Amu;
- state[20] = Asa;
- state[21] = Ase;
- state[22] = Asi;
- state[23] = Aso;
- state[24] = Asu;
-#endif
-}
-
-/*************************************************
-* Name: keccakx2_absorb
-*
-* Description: Absorb step of Keccak;
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
-* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
-* - const uint8_t *m: pointer to input to be absorbed into s
-* - size_t mlen: length of input in bytes
-* - uint8_t p: domain-separation byte for different
-* Keccak-derived functions
-**************************************************/
-static
-void keccakx2_absorb(v128 s[25],
- unsigned int r,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen,
- uint8_t p) {
- size_t i, pos = 0;
-
- // Declare SIMD registers
- v128 tmp, mask;
- uint64x1_t a, b;
- uint64x2_t a1, b1, atmp1, btmp1;
- uint64x2x2_t a2, b2, atmp2, btmp2;
- // End
-
- for (i = 0; i < 25; ++i) {
- s[i] = vdupq_n_u64(0);
- }
-
- // Load in0[i] to register, then in1[i] to register, exchange them
- while (inlen >= r) {
- for (i = 0; i < r / 8 - 1; i += 4) {
- a2 = vld1q_u64_x2((uint64_t *)&in0[pos]);
- b2 = vld1q_u64_x2((uint64_t *)&in1[pos]);
- // BD = zip1(AB and CD)
- atmp2.val[0] = vzip1q_u64(a2.val[0], b2.val[0]);
- atmp2.val[1] = vzip1q_u64(a2.val[1], b2.val[1]);
- // AC = zip2(AB and CD)
- btmp2.val[0] = vzip2q_u64(a2.val[0], b2.val[0]);
- btmp2.val[1] = vzip2q_u64(a2.val[1], b2.val[1]);
-
- vxor(s[i + 0], s[i + 0], atmp2.val[0]);
- vxor(s[i + 1], s[i + 1], btmp2.val[0]);
- vxor(s[i + 2], s[i + 2], atmp2.val[1]);
- vxor(s[i + 3], s[i + 3], btmp2.val[1]);
-
- pos += 8 * 2 * 2;
- }
- // Last iteration
- i = r / 8 - 1;
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- vxor(s[i], s[i], tmp);
- pos += 8;
-
- KeccakF1600_StatePermutex2(s);
- inlen -= r;
- }
-
- i = 0;
- while (inlen >= 16) {
- a1 = vld1q_u64((uint64_t *)&in0[pos]);
- b1 = vld1q_u64((uint64_t *)&in1[pos]);
- // BD = zip1(AB and CD)
- atmp1 = vzip1q_u64(a1, b1);
- // AC = zip2(AB and CD)
- btmp1 = vzip2q_u64(a1, b1);
-
- vxor(s[i + 0], s[i + 0], atmp1);
- vxor(s[i + 1], s[i + 1], btmp1);
-
- i += 2;
- pos += 8 * 2;
- inlen -= 8 * 2;
- }
-
- if (inlen >= 8) {
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- vxor(s[i], s[i], tmp);
-
- i++;
- pos += 8;
- inlen -= 8;
- }
-
- if (inlen) {
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- mask = vdupq_n_u64((1ULL << (8 * inlen)) - 1);
- tmp = vandq_u64(tmp, mask);
- vxor(s[i], s[i], tmp);
- }
-
- tmp = vdupq_n_u64((uint64_t)p << (8 * inlen));
- vxor(s[i], s[i], tmp);
-
- mask = vdupq_n_u64(1ULL << 63);
- vxor(s[r / 8 - 1], s[r / 8 - 1], mask);
-}
-
-/*************************************************
-* Name: keccak_squeezeblocks
-*
-* Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each.
-* Modifies the state. Can be called multiple times to keep
-* squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed (written to h)
-* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
-* - uint64_t *s: pointer to input/output Keccak state
-**************************************************/
-static
-void keccakx2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- unsigned int r,
- v128 s[25]){
- unsigned int i;
-
- uint64x1_t a, b;
- uint64x2x2_t a2, b2;
-
- while (nblocks > 0)
- {
- KeccakF1600_StatePermutex2(s);
-
- for (i = 0; i < r / 8 - 1; i += 4)
- {
- a2.val[0] = vuzp1q_u64(s[i], s[i + 1]);
- b2.val[0] = vuzp2q_u64(s[i], s[i + 1]);
- a2.val[1] = vuzp1q_u64(s[i + 2], s[i + 3]);
- b2.val[1] = vuzp2q_u64(s[i + 2], s[i + 3]);
- vst1q_u64_x2((uint64_t *)out0, a2);
- vst1q_u64_x2((uint64_t *)out1, b2);
-
- out0 += 32;
- out1 += 32;
- }
-
- i = r / 8 - 1;
- // Last iteration
- a = vget_low_u64(s[i]);
- b = vget_high_u64(s[i]);
- vst1_u64((uint64_t *)out0, a);
- vst1_u64((uint64_t *)out1, b);
-
- out0 += 8;
- out1 += 8;
-
- --nblocks;
- }
-}
-
-/*************************************************
-* Name: shake128x2_absorb
-*
-* Description: Absorb step of the SHAKE128 XOF.
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - keccakx2_state *state: pointer to (uninitialized) output
-* Keccak state
-* - const uint8_t *in: pointer to input to be absorbed into s
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake128x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- keccakx2_absorb(state->s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-}
-
-/*************************************************
-* Name: shake128_squeezeblocks
-*
-* Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
-* SHAKE128_RATE bytes each. Modifies the state. Can be called
-* multiple times to keep squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed
-* (written to output)
-* - keccakx2_state *s: pointer to input/output Keccak state
-**************************************************/
-void shake128x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state) {
- keccakx2_squeezeblocks(out0, out1, nblocks, SHAKE128_RATE, state->s);
-}
-
-/*************************************************
-* Name: shake256_absorb
-*
-* Description: Absorb step of the SHAKE256 XOF.
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - keccakx2_state *s: pointer to (uninitialized) output Keccak state
-* - const uint8_t *in: pointer to input to be absorbed into s
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake256x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- keccakx2_absorb(state->s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-}
-
-/*************************************************
-* Name: shake256_squeezeblocks
-*
-* Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of
-* SHAKE256_RATE bytes each. Modifies the state. Can be called
-* multiple times to keep squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed
-* (written to output)
-* - keccakx2_state *s: pointer to input/output Keccak state
-**************************************************/
-void shake256x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state) {
- keccakx2_squeezeblocks(out0, out1, nblocks, SHAKE256_RATE, state->s);
-}
-
-/*************************************************
-* Name: shake128
-*
-* Description: SHAKE128 XOF with non-incremental API
-*
-* Arguments: - uint8_t *out: pointer to output
-* - size_t outlen: requested output length in bytes
-* - const uint8_t *in: pointer to input
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake128x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- unsigned int i;
- size_t nblocks = outlen / SHAKE128_RATE;
- uint8_t t[2][SHAKE128_RATE];
- keccakx2_state state;
-
- shake128x2_absorb(&state, in0, in1, inlen);
- shake128x2_squeezeblocks(out0, out1, nblocks, &state);
-
- out0 += nblocks * SHAKE128_RATE;
- out1 += nblocks * SHAKE128_RATE;
- outlen -= nblocks * SHAKE128_RATE;
-
- if (outlen) {
- shake128x2_squeezeblocks(t[0], t[1], 1, &state);
- for (i = 0; i < outlen; ++i) {
- out0[i] = t[0][i];
- out1[i] = t[1][i];
- }
- }
-}
-
-/*************************************************
-* Name: shake256
-*
-* Description: SHAKE256 XOF with non-incremental API
-*
-* Arguments: - uint8_t *out: pointer to output
-* - size_t outlen: requested output length in bytes
-* - const uint8_t *in: pointer to input
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake256x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- unsigned int i;
- size_t nblocks = outlen / SHAKE256_RATE;
- uint8_t t[2][SHAKE256_RATE];
- keccakx2_state state;
-
- shake256x2_absorb(&state, in0, in1, inlen);
- shake256x2_squeezeblocks(out0, out1, nblocks, &state);
-
- out0 += nblocks * SHAKE256_RATE;
- out1 += nblocks * SHAKE256_RATE;
- outlen -= nblocks * SHAKE256_RATE;
-
- if (outlen) {
- shake256x2_squeezeblocks(t[0], t[1], 1, &state);
- for (i = 0; i < outlen; ++i) {
- out0[i] = t[0][i];
- out1[i] = t[1][i];
- }
- }
-}
+++ /dev/null
-
-/*
- * This file is licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * at https://github.com/GMUCERG/PQC_NEON/blob/main/neon/kyber or
- * public domain at https://github.com/cothan/kyber/blob/master/neon
- */
-
-#ifndef FIPS202X2_H
-#define FIPS202X2_H
-
-#include "params.h"
-#include <arm_neon.h>
-#include <stddef.h>
-
-#include <fips202.h>
-
-typedef uint64x2_t v128;
-
-typedef struct {
- v128 s[25];
-} keccakx2_state;
-
-
-#define shake128x2_absorb DILITHIUM_NAMESPACE(shake128x2_absorb)
-void shake128x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake128x2_squeezeblocks DILITHIUM_NAMESPACE(shake128x2_squeezeblocks)
-void shake128x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state);
-
-#define shake256x2_absorb DILITHIUM_NAMESPACE(shake256x2_absorb)
-void shake256x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake256x2_squeezeblocks DILITHIUM_NAMESPACE(shake256x2_squeezeblocks)
-void shake256x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state);
-
-#define shake128x2 DILITHIUM_NAMESPACE(shake128x2)
-void shake128x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake256x2 DILITHIUM_NAMESPACE(shake256x2)
-void shake256x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-#endif
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros_common.inc"
-
-.macro wrap_trn_4x4 a0, a1, a2, a3, t0, t1, t2, t3, qS, dD
-
- trn1 \t0\qS, \a0\qS, \a1\qS
- trn2 \t1\qS, \a0\qS, \a1\qS
- trn1 \t2\qS, \a2\qS, \a3\qS
- trn2 \t3\qS, \a2\qS, \a3\qS
-
- trn1 \a0\dD, \t0\dD, \t2\dD
- trn2 \a2\dD, \t0\dD, \t2\dD
- trn1 \a1\dD, \t1\dD, \t3\dD
- trn2 \a3\dD, \t1\dD, \t3\dD
-
-.endm
-
-.macro trn_4x4 a0, a1, a2, a3, t0, t1, t2, t3
- wrap_trn_4x4 \a0, \a1, \a2, \a3, \t0, \t1, \t2, \t3, .4S, .2D
-.endm
-
-
-.macro dq_butterfly_vec_bot a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1
- wrap_dX_butterfly_vec_bot \a0, \a1, \b0, \b1, \t0, \t1, \mod, \l0, \h0, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_top a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1
- wrap_dX_butterfly_vec_top \a0, \a1, \b0, \b1, \t0, \t1, \mod, \l0, \h0, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3
- wrap_dX_butterfly_vec_mixed \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \l0, \h0, \l1, \h1, \l2, \h2, \l3, \h3, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3
- wrap_dX_butterfly_vec_mixed_rev \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \l0, \h0, \l1, \h1, \l2, \h2, \l3, \h3, .4S, .S
-.endm
-
-
-.macro dq_butterfly_top a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1
- wrap_dX_butterfly_top \a0, \a1, \b0, \b1, \t0, \t1, \mod, \z0, \l0, \h0, \z1, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_bot a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1
- wrap_dX_butterfly_bot \a0, \a1, \b0, \b1, \t0, \t1, \mod, \z0, \l0, \h0, \z1, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_dX_butterfly_mixed \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro dq_butterfly_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_dX_butterfly_mixed_rev \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-
-.macro qq_montgomery_mul b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_montgomery_mul \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-
-.macro qq_butterfly_top a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_butterfly_top \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro qq_butterfly_bot a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_butterfly_bot \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro qq_butterfly_mixed a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7
- wrap_qX_butterfly_mixed \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \a4, \a5, \a6, \a7, \b4, \b5, \b6, \b7, \t4, \t5, \t6, \t7, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, \z4, \l4, \h4, \z5, \l5, \h5, \z6, \l6, \h6, \z7, \l7, \h7, .4S, .S
-.endm
-
-.macro qq_butterfly_mixed_rev a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7
- wrap_qX_butterfly_mixed_rev \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \a4, \a5, \a6, \a7, \b4, \b5, \b6, \b7, \t4, \t5, \t6, \t7, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, \z4, \l4, \h4, \z5, \l5, \h5, \z6, \l6, \h6, \z7, \l7, \h7, .4S, .S
-.endm
-
-
-.macro qq_montgomery c0, c1, c2, c3, l0, l1, l2, l3, h0, h1, h2, h3, t0, t1, t2, t3, Qprime, Q
- wrap_qX_montgomery \c0, \c1, \c2, \c3, \l0, \l1, \l2, \l3, \h0, \h1, \h2, \h3, \t0, \t1, \t2, \t3, \Qprime, \Q, .2S, .4S, .2D
-.endm
-
-.macro qq_sub_add s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3
- wrap_qX_sub_add \s0, \s1, \s2, \s3, \t0, \t1, \t2, \t3, \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, .4S
-.endm
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-// for ABI
-
-.macro push_all
-
- sub sp, sp, #(16*9)
- stp x19, x20, [sp, #16*0]
- stp x21, x22, [sp, #16*1]
- stp x23, x24, [sp, #16*2]
- stp x25, x26, [sp, #16*3]
- stp x27, x28, [sp, #16*4]
- stp d8, d9, [sp, #16*5]
- stp d10, d11, [sp, #16*6]
- stp d12, d13, [sp, #16*7]
- stp d14, d15, [sp, #16*8]
-
-.endm
-
-.macro pop_all
-
- ldp x19, x20, [sp, #16*0]
- ldp x21, x22, [sp, #16*1]
- ldp x23, x24, [sp, #16*2]
- ldp x25, x26, [sp, #16*3]
- ldp x27, x28, [sp, #16*4]
- ldp d8, d9, [sp, #16*5]
- ldp d10, d11, [sp, #16*6]
- ldp d12, d13, [sp, #16*7]
- ldp d14, d15, [sp, #16*8]
- add sp, sp, #(16*9)
-
-.endm
-
-// vector-scalar butterflies
-
-.macro wrap_dX_butterfly_top a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_bot a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
-
-.endm
-
-.macro wrap_dX_butterfly_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
-
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- sub \b3\wX, \a3\wX, \t3\wX
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- add \a3\wX, \a3\wX, \t3\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_top a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_bot a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
- sub \b2\wX, \a2\wX, \t2\wX
- sub \b3\wX, \a3\wX, \t3\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
- add \a2\wX, \a2\wX, \t2\wX
- add \a3\wX, \a3\wX, \t3\wX
-
-.endm
-
-.macro wrap_qX_butterfly_mixed a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t4\wX, \b4\wX, \z4\nX[\h4]
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t5\wX, \b5\wX, \z5\nX[\h5]
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t6\wX, \b6\wX, \z6\nX[\h6]
- sub \b3\wX, \a3\wX, \t3\wX
- mul \t7\wX, \b7\wX, \z7\nX[\h7]
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b4\wX, \b4\wX, \z4\nX[\l4]
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b5\wX, \b5\wX, \z5\nX[\l5]
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b6\wX, \b6\wX, \z6\nX[\l6]
- add \a3\wX, \a3\wX, \t3\wX
- sqrdmulh \b7\wX, \b7\wX, \z7\nX[\l7]
-
- mls \t4\wX, \b4\wX, \mod\nX[0]
- mls \t5\wX, \b5\wX, \mod\nX[0]
- mls \t6\wX, \b6\wX, \mod\nX[0]
- mls \t7\wX, \b7\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_mixed_rev a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- sub \b4\wX, \a4\wX, \t4\wX
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- sub \b5\wX, \a5\wX, \t5\wX
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- sub \b6\wX, \a6\wX, \t6\wX
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
- sub \b7\wX, \a7\wX, \t7\wX
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- add \a4\wX, \a4\wX, \t4\wX
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- add \a5\wX, \a5\wX, \t5\wX
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- add \a6\wX, \a6\wX, \t6\wX
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
- add \a7\wX, \a7\wX, \t7\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-// vector-vector butterflies
-
-.macro wrap_dX_butterfly_vec_top a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1, wX, nX
-
- mul \t0\wX, \b0\wX, \h0\wX
- mul \t1\wX, \b1\wX, \h1\wX
-
- sqrdmulh \b0\wX, \b0\wX, \l0\wX
- sqrdmulh \b1\wX, \b1\wX, \l1\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_vec_bot a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
-
-.endm
-
-.macro wrap_dX_butterfly_vec_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t2\wX, \b2\wX, \h2\wX
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t3\wX, \b3\wX, \h3\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b2\wX, \b2\wX, \l2\wX
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b3\wX, \b3\wX, \l3\wX
-
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_vec_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \h0\wX
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t1\wX, \b1\wX, \h1\wX
- sub \b3\wX, \a3\wX, \t3\wX
-
- sqrdmulh \b0\wX, \b0\wX, \l0\wX
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b1\wX, \b1\wX, \l1\wX
- add \a3\wX, \a3\wX, \t3\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-// vector-scalar Barrett reduction
-
-.macro wrap_qX_barrett a0, a1, a2, a3, t0, t1, t2, t3, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\nX[0]
- sqdmulh \t1\wX, \a1\wX, \barrett_const\nX[0]
-
- sqdmulh \t2\wX, \a2\wX, \barrett_const\nX[0]
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t3\wX, \a3\wX, \barrett_const\nX[0]
- srshr \t1\wX, \t1\wX, \shrv
-
- srshr \t2\wX, \t2\wX, \shrv
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t3\wX, \t3\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
-
- mls \a2\wX, \t2\wX, \Q\wX
- mls \a3\wX, \t3\wX, \Q\wX
-
-.endm
-
-.macro wrap_oX_barrett a0, a1, a2, a3, t0, t1, t2, t3, a4, a5, a6, a7, t4, t5, t6, t7, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\nX[0]
- sqdmulh \t1\wX, \a1\wX, \barrett_const\nX[0]
- sqdmulh \t2\wX, \a2\wX, \barrett_const\nX[0]
- sqdmulh \t3\wX, \a3\wX, \barrett_const\nX[0]
-
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t4\wX, \a4\wX, \barrett_const\nX[0]
- srshr \t1\wX, \t1\wX, \shrv
- sqdmulh \t5\wX, \a5\wX, \barrett_const\nX[0]
- srshr \t2\wX, \t2\wX, \shrv
- sqdmulh \t6\wX, \a6\wX, \barrett_const\nX[0]
- srshr \t3\wX, \t3\wX, \shrv
- sqdmulh \t7\wX, \a7\wX, \barrett_const\nX[0]
-
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t4\wX, \t4\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
- srshr \t5\wX, \t5\wX, \shrv
- mls \a2\wX, \t2\wX, \Q\wX
- srshr \t6\wX, \t6\wX, \shrv
- mls \a3\wX, \t3\wX, \Q\wX
- srshr \t7\wX, \t7\wX, \shrv
-
- mls \a4\wX, \t4\wX, \Q\wX
- mls \a5\wX, \t5\wX, \Q\wX
- mls \a6\wX, \t6\wX, \Q\wX
- mls \a7\wX, \t7\wX, \Q\wX
-
-.endm
-
-// vector-vector Barrett reduction
-
-.macro wrap_qo_barrett_vec a0, a1, a2, a3, t0, t1, t2, t3, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\wX
- sqdmulh \t1\wX, \a1\wX, \barrett_const\wX
-
- sqdmulh \t2\wX, \a2\wX, \barrett_const\wX
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t3\wX, \a3\wX, \barrett_const\wX
- srshr \t1\wX, \t1\wX, \shrv
-
- srshr \t2\wX, \t2\wX, \shrv
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t3\wX, \t3\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
-
- mls \a2\wX, \t2\wX, \Q\wX
- mls \a3\wX, \t3\wX, \Q\wX
-
-.endm
-
-.macro wrap_oo_barrett_vec a0, a1, a2, a3, t0, t1, t2, t3, a4, a5, a6, a7, t4, t5, t6, t7, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\wX
- sqdmulh \t1\wX, \a1\wX, \barrett_const\wX
- sqdmulh \t2\wX, \a2\wX, \barrett_const\wX
- sqdmulh \t3\wX, \a3\wX, \barrett_const\wX
-
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t4\wX, \a4\wX, \barrett_const\wX
- srshr \t1\wX, \t1\wX, \shrv
- sqdmulh \t5\wX, \a5\wX, \barrett_const\wX
- srshr \t2\wX, \t2\wX, \shrv
- sqdmulh \t6\wX, \a6\wX, \barrett_const\wX
- srshr \t3\wX, \t3\wX, \shrv
- sqdmulh \t7\wX, \a7\wX, \barrett_const\wX
-
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t4\wX, \t4\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
- srshr \t5\wX, \t5\wX, \shrv
- mls \a2\wX, \t2\wX, \Q\wX
- srshr \t6\wX, \t6\wX, \shrv
- mls \a3\wX, \t3\wX, \Q\wX
- srshr \t7\wX, \t7\wX, \shrv
-
- mls \a4\wX, \t4\wX, \Q\wX
- mls \a5\wX, \t5\wX, \Q\wX
- mls \a6\wX, \t6\wX, \Q\wX
- mls \a7\wX, \t7\wX, \Q\wX
-
-.endm
-
-// Montgomery multiplication
-
-.macro wrap_qX_montgomery_mul b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \b0\wX, \t0\wX, \z0\nX[\h0]
- mul \b1\wX, \t1\wX, \z1\nX[\h1]
- mul \b2\wX, \t2\wX, \z2\nX[\h2]
- mul \b3\wX, \t3\wX, \z3\nX[\h3]
-
- sqrdmulh \t0\wX, \t0\wX, \z0\nX[\l0]
- sqrdmulh \t1\wX, \t1\wX, \z1\nX[\l1]
- sqrdmulh \t2\wX, \t2\wX, \z2\nX[\l2]
- sqrdmulh \t3\wX, \t3\wX, \z3\nX[\l3]
-
- mls \b0\wX, \t0\wX, \mod\nX[0]
- mls \b1\wX, \t1\wX, \mod\nX[0]
- mls \b2\wX, \t2\wX, \mod\nX[0]
- mls \b3\wX, \t3\wX, \mod\nX[0]
-
-.endm
-
-// Montgomery reduction with long
-
-.macro wrap_qX_montgomery c0, c1, c2, c3, l0, l1, l2, l3, h0, h1, h2, h3, t0, t1, t2, t3, Qprime, Q, lX, wX, dwX
-
- uzp1 \t0\wX, \l0\wX, \h0\wX
- uzp1 \t1\wX, \l1\wX, \h1\wX
- uzp1 \t2\wX, \l2\wX, \h2\wX
- uzp1 \t3\wX, \l3\wX, \h3\wX
-
- mul \t0\wX, \t0\wX, \Qprime\wX
- mul \t1\wX, \t1\wX, \Qprime\wX
- mul \t2\wX, \t2\wX, \Qprime\wX
- mul \t3\wX, \t3\wX, \Qprime\wX
-
- smlal \l0\dwX, \t0\lX, \Q\lX
- smlal2 \h0\dwX, \t0\wX, \Q\wX
- smlal \l1\dwX, \t1\lX, \Q\lX
- smlal2 \h1\dwX, \t1\wX, \Q\wX
- smlal \l2\dwX, \t2\lX, \Q\lX
- smlal2 \h2\dwX, \t2\wX, \Q\wX
- smlal \l3\dwX, \t3\lX, \Q\lX
- smlal2 \h3\dwX, \t3\wX, \Q\wX
-
- uzp2 \c0\wX, \l0\wX, \h0\wX
- uzp2 \c1\wX, \l1\wX, \h1\wX
- uzp2 \c2\wX, \l2\wX, \h2\wX
- uzp2 \c3\wX, \l3\wX, \h3\wX
-
-.endm
-
-// add_sub, sub_add
-
-.macro wrap_qX_add_sub s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3, wX
-
- add \s0\wX, \a0\wX, \b0\wX
- sub \t0\wX, \a0\wX, \b0\wX
- add \s1\wX, \a1\wX, \b1\wX
- sub \t1\wX, \a1\wX, \b1\wX
- add \s2\wX, \a2\wX, \b2\wX
- sub \t2\wX, \a2\wX, \b2\wX
- add \s3\wX, \a3\wX, \b3\wX
- sub \t3\wX, \a3\wX, \b3\wX
-
-.endm
-
-.macro wrap_qX_sub_add s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3, wX
-
- sub \t0\wX, \a0\wX, \b0\wX
- add \s0\wX, \a0\wX, \b0\wX
- sub \t1\wX, \a1\wX, \b1\wX
- add \s1\wX, \a1\wX, \b1\wX
- sub \t2\wX, \a2\wX, \b2\wX
- add \s2\wX, \a2\wX, \b2\wX
- sub \t3\wX, \a3\wX, \b3\wX
- add \s3\wX, \a3\wX, \b3\wX
-
-.endm
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "reduce.h"
-#include <stdint.h>
-#include <stdio.h>
-
-#include "NTT_params.h"
-#include "ntt.h"
-
-
-/*************************************************
-* Name: ntt
-*
-* Description: Forward NTT, in-place. No modular reduction is performed after
-* additions or subtractions. Output vector is in bitreversed order.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void ntt(int32_t a[N]) {
- NTT(a);
-}
-
-/*************************************************
-* Name: invntt_tomont
-*
-* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
-* In-place. No modular reductions after additions or
-* subtractions; input coefficients need to be smaller than
-* Q in absolute value. Output coefficient are smaller than Q in
-* absolute value.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void invntt_tomont(int32_t a[N]) {
- iNTT(a);
-}
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef NTT_H
-#define NTT_H
-#include "NTT_params.h"
-#include "params.h"
-#include <stdint.h>
-
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_top(int *des, const int *table, const int *_constants);
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_bot(int *des, const int *table, const int *_constants);
-
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_top(int *des, const int *table, const int *_constants);
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_bot(int *des, const int *table, const int *_constants);
-
-#define NTT(in) { \
- PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_top(in, streamlined_CT_negacyclic_table_Q1_extended, constants); \
- PQCLEAN_DILITHIUM2_AARCH64__asm_ntt_SIMD_bot(in, streamlined_CT_negacyclic_table_Q1_extended, constants); \
- }
-
-#define iNTT(in) { \
- PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_bot(in, streamlined_inv_CT_table_Q1_extended, constants); \
- PQCLEAN_DILITHIUM2_AARCH64__asm_intt_SIMD_top(in, streamlined_inv_CT_table_Q1_extended, constants); \
- }
-
-#define ntt DILITHIUM_NAMESPACE(ntt)
-void ntt(int32_t a[ARRAY_N]);
-#define invntt_tomont DILITHIUM_NAMESPACE(invntt_tomont)
-void invntt_tomont(int32_t a[ARRAY_N]);
-
-static const int constants[16] = {
- Q1, -Q1prime, RmodQ1_prime_half, RmodQ1_doubleprime,
- invNQ1R2modQ1_prime_half,
- invNQ1R2modQ1_doubleprime,
- invNQ1_final_R2modQ1_prime_half,
- invNQ1_final_R2modQ1_doubleprime
-};
-
-static const int streamlined_CT_negacyclic_table_Q1_extended[(NTT_N + (1 << 0) + (1 << 4)) << 1] = {
- 0, 0, -915382907, -3572223, 964937599, 3765607, 963888510, 3761513, -820383522, -3201494, -738955404, -2883726, -806080660, -3145678, -820367122, -3201430, -154181397, -601683, 907762539, 3542485, 687336873, 2682288, 545785280, 2129892, 964747974, 3764867, -257592709, -1005239, 142848732, 557458, -312926867, -1221177, 0, 0, -863652652, -3370349, 923069133, 3602218, 815613168, 3182878, 787459213, 3073009, 327391679, 1277625, -675340520, -2635473, 987079667, 3852015, 449207, 1753, -495951789, -1935420, -681503850, -2659525, -373072124, -1455890, 681730119, 2660408, -456183549, -1780227, -15156688, -59148, 710479343, 2772600, 0, 0, -1041158200, -4063053, 702264730, 2740543, -919027554, -3586446, 1071989969, 4183372, -825844983, -3222807, -799869667, -3121440, -70227934, -274060, 302950022, 1182243, 22347069, 87208, 163212680, 636927, -1016110510, -3965306, -1013916752, -3956745, -588452222, -2296397, -841760171, -3284915, -952468207, -3716946, 0, 0, 682491182, 2663378, -797147778, -3110818, 538486762, 2101410, 642926661, 2508980, 519705671, 2028118, 496502727, 1937570, -977780347, -3815725, -7126831, -27812, 210776307, 822541, 258649997, 1009365, -628875181, -2454145, -507246529, -1979497, 409185979, 1596822, -1013967746, -3956944, -963363710, -3759465, 0, 0, -429120452, -1674615, 949361686, 3704823, 297218217, 1159875, 720393920, 2811291, -764594519, -2983781, -284313712, -1109516, 1065510939, 4158088, -431820817, -1685153, -873958779, -3410568, 686309310, 2678278, -965793731, -3768948, -909946047, -3551006, 162963861, 635956, -64176841, -250446, -629190881, -2455377, 0, 0, -903139016, -3524442, 101000509, 394148, 237992130, 928749, 391567239, 1528066, 123678909, 482649, 294395108, 1148858, -759080783, -2962264, -1062481036, -4146264, -454226054, -1772588, 561940831, 2192938, -442566669, -1727088, 611800717, 2387513, -925511710, -3611750, -68791907, -268456, -814992530, -3180456, 0, 0, -111244624, -434125, 280713909, 1095468, -898510625, -3506380, -144935890, -565603, 43482586, 169688, 631001801, 2462444, -854436357, -3334383, 960233614, 3747250, 588375860, 2296099, 317727459, 1239911, -983611064, -3838479, 818892658, 3195676, 677264190, 2642980, 321386456, 1254190, -3181859, -12417, 0, 0, 173376332, 676590, 530906624, 2071829, -1029866791, -4018989, -1067647297, -4166425, -893898890, -3488383, 509377762, 1987814, -819295484, -3197248, 768294260, 2998219, 36345249, 141835, -22883400, -89301, 643961400, 2513018, -347191365, -1354892, 157142369, 613238, -335754661, -1310261, -568482643, -2218467, 0, 0, -342333886, -1335936, 830756018, 3241972, 552488273, 2156050, 444930577, 1736313, 60323094, 235407, -832852657, -3250154, 834980303, 3258457, -117552223, -458740, -492511373, -1921994, 1035301089, 4040196, -889718424, -3472069, 522531086, 2039144, -481719139, -1879878, -209807681, -818761, -558360247, -2178965, 0, 0, -827143915, -3227876, 875112161, 3415069, 450833045, 1759347, -660934133, -2579253, 458160776, 1787943, -612717067, -2391089, -577774276, -2254727, -415984810, -1623354, 539479988, 2105286, -608441020, -2374402, -521163479, -2033807, 150224382, 586241, -302276083, -1179613, 135295244, 527981, -702999655, -2743411, 0, 0, 439288460, 1714295, -209493775, -817536, -915957677, -3574466, 892316032, 3482206, -1071872863, -4182915, -333129378, -1300016, -605279149, -2362063, -378477722, -1476985, 510974714, 1994046, 638402564, 2491325, -356997292, -1393159, 130156402, 507927, -304395785, -1187885, -185731180, -724804, -470097680, -1834526, 0, 0, 628833668, 2453983, 962678241, 3756790, -496048908, -1935799, -337655269, -1317678, 630730945, 2461387, 777970524, 3035980, 159173408, 621164, -777397036, -3033742, -86720197, -338420, 678549029, 2647994, 771248568, 3009748, -669544140, -2612853, 1063046068, 4148469, 192079267, 749577, -1030830548, -4022750, 0, 0, 374309300, 1460718, -439978542, -1716988, -1012201926, -3950053, 999753034, 3901472, -314332144, -1226661, 749740976, 2925816, 864652284, 3374250, 1020029345, 3980599, 658309618, 2569011, -413979908, -1615530, 441577800, 1723229, 426738094, 1665318, 519685171, 2028038, 298172236, 1163598, -863376927, -3369273, 0, 0, -164673562, -642628, -742437332, -2897314, 818041395, 3192354, 347590090, 1356448, -711287812, -2775755, 687588511, 2683270, -712065019, -2778788, 1023635298, 3994671, -3043996, -11879, -351195274, -1370517, 773976352, 3020393, 861908357, 3363542, 55063046, 214880, 139752717, 545376, -197425671, -770441, 0, 0, -918682129, -3585098, 142694469, 556856, 991769559, 3870317, -888589898, -3467665, 592665232, 2312838, -167401858, -653275, -117660617, -459163, 795799901, 3105558, -282732136, -1103344, 130212265, 508145, -141890356, -553718, 220412084, 860144, 879049958, 3430436, 35937555, 140244, -388001774, -1514152, 0, 0, 721508096, 2815639, 747568486, 2917338, 475038184, 1853806, 89383150, 348812, -84011120, -327848, 259126110, 1011223, -603268097, -2354215, -559928242, -2185084, 800464680, 3123762, 604333585, 2358373, -561979013, -2193087, -772445769, -3014420, -439933955, -1716814, 749801963, 2926054, -100631253, -392707, 0, 0, 585207070, 2283733, 857403734, 3345963, 476219497, 1858416, -978523985, -3818627, -492577742, -1922253, -573161516, -2236726, 447030292, 1744507, -77645096, -303005, 904878186, 3531229, -1018462631, -3974485, -967019376, -3773731, 486888731, 1900052, -200355636, -781875, 270210213, 1054478, -187430119, -731434, 0, 0
-};
-
-static const int streamlined_inv_CT_table_Q1_extended[(NTT_N + (1 << 0) + (1 << 4)) << 1] = {
- 0, 0, 915382907, 3572223, -963888510, -3761513, -964937599, -3765607, 820367122, 3201430, 806080660, 3145678, 738955404, 2883726, 820383522, 3201494, 312926867, 1221177, -142848732, -557458, 257592709, 1005239, -964747974, -3764867, -545785280, -2129892, -687336873, -2682288, -907762539, -3542485, 154181397, 601683, 0, 0, -585207070, -2283733, -476219497, -1858416, -857403734, -3345963, -447030292, -1744507, 573161516, 2236726, 492577742, 1922253, 978523985, 3818627, 187430119, 731434, -270210213, -1054478, 200355636, 781875, -486888731, -1900052, 967019376, 3773731, 1018462631, 3974485, -904878186, -3531229, 77645096, 303005, 0, 0, -721508096, -2815639, -475038184, -1853806, -747568486, -2917338, 603268097, 2354215, -259126110, -1011223, 84011120, 327848, -89383150, -348812, 100631253, 392707, -749801963, -2926054, 439933955, 1716814, 772445769, 3014420, 561979013, 2193087, -604333585, -2358373, -800464680, -3123762, 559928242, 2185084, 0, 0, 918682129, 3585098, -991769559, -3870317, -142694469, -556856, 117660617, 459163, 167401858, 653275, -592665232, -2312838, 888589898, 3467665, 388001774, 1514152, -35937555, -140244, -879049958, -3430436, -220412084, -860144, 141890356, 553718, -130212265, -508145, 282732136, 1103344, -795799901, -3105558, 0, 0, 164673562, 642628, -818041395, -3192354, 742437332, 2897314, 712065019, 2778788, -687588511, -2683270, 711287812, 2775755, -347590090, -1356448, 197425671, 770441, -139752717, -545376, -55063046, -214880, -861908357, -3363542, -773976352, -3020393, 351195274, 1370517, 3043996, 11879, -1023635298, -3994671, 0, 0, -374309300, -1460718, 1012201926, 3950053, 439978542, 1716988, -864652284, -3374250, -749740976, -2925816, 314332144, 1226661, -999753034, -3901472, 863376927, 3369273, -298172236, -1163598, -519685171, -2028038, -426738094, -1665318, -441577800, -1723229, 413979908, 1615530, -658309618, -2569011, -1020029345, -3980599, 0, 0, -628833668, -2453983, 496048908, 1935799, -962678241, -3756790, -159173408, -621164, -777970524, -3035980, -630730945, -2461387, 337655269, 1317678, 1030830548, 4022750, -192079267, -749577, -1063046068, -4148469, 669544140, 2612853, -771248568, -3009748, -678549029, -2647994, 86720197, 338420, 777397036, 3033742, 0, 0, -439288460, -1714295, 915957677, 3574466, 209493775, 817536, 605279149, 2362063, 333129378, 1300016, 1071872863, 4182915, -892316032, -3482206, 470097680, 1834526, 185731180, 724804, 304395785, 1187885, -130156402, -507927, 356997292, 1393159, -638402564, -2491325, -510974714, -1994046, 378477722, 1476985, 0, 0, 827143915, 3227876, -450833045, -1759347, -875112161, -3415069, 577774276, 2254727, 612717067, 2391089, -458160776, -1787943, 660934133, 2579253, 702999655, 2743411, -135295244, -527981, 302276083, 1179613, -150224382, -586241, 521163479, 2033807, 608441020, 2374402, -539479988, -2105286, 415984810, 1623354, 0, 0, 342333886, 1335936, -552488273, -2156050, -830756018, -3241972, -834980303, -3258457, 832852657, 3250154, -60323094, -235407, -444930577, -1736313, 558360247, 2178965, 209807681, 818761, 481719139, 1879878, -522531086, -2039144, 889718424, 3472069, -1035301089, -4040196, 492511373, 1921994, 117552223, 458740, 0, 0, -173376332, -676590, 1029866791, 4018989, -530906624, -2071829, 819295484, 3197248, -509377762, -1987814, 893898890, 3488383, 1067647297, 4166425, 568482643, 2218467, 335754661, 1310261, -157142369, -613238, 347191365, 1354892, -643961400, -2513018, 22883400, 89301, -36345249, -141835, -768294260, -2998219, 0, 0, 111244624, 434125, 898510625, 3506380, -280713909, -1095468, 854436357, 3334383, -631001801, -2462444, -43482586, -169688, 144935890, 565603, 3181859, 12417, -321386456, -1254190, -677264190, -2642980, -818892658, -3195676, 983611064, 3838479, -317727459, -1239911, -588375860, -2296099, -960233614, -3747250, 0, 0, 903139016, 3524442, -237992130, -928749, -101000509, -394148, 759080783, 2962264, -294395108, -1148858, -123678909, -482649, -391567239, -1528066, 814992530, 3180456, 68791907, 268456, 925511710, 3611750, -611800717, -2387513, 442566669, 1727088, -561940831, -2192938, 454226054, 1772588, 1062481036, 4146264, 0, 0, 429120452, 1674615, -297218217, -1159875, -949361686, -3704823, -1065510939, -4158088, 284313712, 1109516, 764594519, 2983781, -720393920, -2811291, 629190881, 2455377, 64176841, 250446, -162963861, -635956, 909946047, 3551006, 965793731, 3768948, -686309310, -2678278, 873958779, 3410568, 431820817, 1685153, 0, 0, -682491182, -2663378, -538486762, -2101410, 797147778, 3110818, 977780347, 3815725, -496502727, -1937570, -519705671, -2028118, -642926661, -2508980, 963363710, 3759465, 1013967746, 3956944, -409185979, -1596822, 507246529, 1979497, 628875181, 2454145, -258649997, -1009365, -210776307, -822541, 7126831, 27812, 0, 0, 1041158200, 4063053, 919027554, 3586446, -702264730, -2740543, 70227934, 274060, 799869667, 3121440, 825844983, 3222807, -1071989969, -4183372, 952468207, 3716946, 841760171, 3284915, 588452222, 2296397, 1013916752, 3956745, 1016110510, 3965306, -163212680, -636927, -22347069, -87208, -302950022, -1182243, 0, 0, 863652652, 3370349, -815613168, -3182878, -923069133, -3602218, -987079667, -3852015, 675340520, 2635473, -327391679, -1277625, -787459213, -3073009, -710479343, -2772600, 15156688, 59148, 456183549, 1780227, -681730119, -2660408, 373072124, 1455890, 681503850, 2659525, 495951789, 1935420, -449207, -1753, 0, 0
-};
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "packing.h"
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- pk[i] = rho[i];
- }
- pk += SEEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]);
- }
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES]) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- rho[i] = pk[i];
- }
- pk += SEEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES);
- }
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = rho[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = key[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = tr[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
- }
- sk += L * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]);
- }
- sk += K * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]);
- }
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- rho[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- key[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- tr[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);
- }
- sk += L * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES);
- }
- sk += K * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES);
- }
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h) {
- unsigned int i, j, k;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sig[i] = c[i];
- }
- sig += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]);
- }
- sig += L * POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for (i = 0; i < OMEGA + K; ++i) {
- sig[i] = 0;
- }
-
- k = 0;
- for (i = 0; i < K; ++i) {
- for (j = 0; j < N; ++j) {
- if (h->vec[i].coeffs[j] != 0) {
- sig[k++] = (uint8_t) j;
- }
- }
-
- sig[OMEGA + i] = (uint8_t) k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES]) {
- unsigned int i, j, k;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- c[i] = sig[i];
- }
- sig += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES);
- }
- sig += L * POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for (i = 0; i < K; ++i) {
- for (j = 0; j < N; ++j) {
- h->vec[i].coeffs[j] = 0;
- }
-
- if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) {
- return 1;
- }
-
- for (j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if (j > k && sig[j] <= sig[j - 1]) {
- return 1;
- }
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for (j = k; j < OMEGA; ++j) {
- if (sig[j]) {
- return 1;
- }
- }
-
- return 0;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PACKING_H
-#define PACKING_H
-#include "params.h"
-#include "polyvec.h"
-#include <stdint.h>
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PARAMS_H
-#define PARAMS_H
-
-#define DILITHIUM_MODE 2
-//#define DILITHIUM_MODE 3
-//#define DILITHIUM_MODE 5
-
-#define CRYPTO_NAMESPACETOP PQCLEAN_DILITHIUM2_AARCH64_crypto_sign
-#define CRYPTO_NAMESPACE(s) PQCLEAN_DILITHIUM2_AARCH64_##s
-#define DILITHIUM_NAMESPACETOP CRYPTO_NAMESPACETOP
-#define DILITHIUM_NAMESPACE(s) CRYPTO_NAMESPACE(s)
-
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define DILITHIUM_Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((DILITHIUM_Q-1)/88)
-#define OMEGA 80
-#define CRYPTO_ALGNAME "Dilithium2"
-
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (DILITHIUM_Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (DILITHIUM_Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#define POLYETA_PACKEDBYTES 96
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "poly.h"
-#include "reduce.h"
-#include "rounding.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-#include "fips202x2.h"
-
-#include "NTT_params.h"
-#include "ntt.h"
-
-static const int32_t montgomery_const[4] = {
- DILITHIUM_Q, DILITHIUM_QINV
-};
-
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_poly_reduce(int32_t *, const int32_t *);
-void poly_reduce(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM2_AARCH64__asm_poly_reduce(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_caddq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_poly_caddq(int32_t *, const int32_t *);
-void poly_caddq(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM2_AARCH64__asm_poly_caddq(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_freeze
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* standard representatives.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_poly_freeze(int32_t *, const int32_t *);
-void poly_freeze(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM2_AARCH64__asm_poly_freeze(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = a->coeffs[i] - b->coeffs[i];
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- a->coeffs[i] <<= D;
- }
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_tomont(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_poly_pointwise_montgomery(int32_t *des, const int32_t *src1, const int32_t *src2, const int32_t *table);
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM2_AARCH64__asm_poly_pointwise_montgomery(c->coeffs, a->coeffs, b->coeffs, montgomery_const);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_poly_power2round(int32_t *, int32_t *, const int32_t *);
-void poly_power2round(poly *a1, poly *a0, const poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM2_AARCH64__asm_poly_power2round(a1->coeffs, a0->coeffs, a->coeffs);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- a1->coeffs[i] = decompose(&a0->coeffs[i], a->coeffs[i]);
- }
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint polynomial. The coefficients of which indicate
-* whether the low bits of the corresponding coefficient of
-* the input polynomial overflow into the high bits.
-*
-* Arguments: - poly *h: pointer to output hint polynomial
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
- unsigned int i, s = 0;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- h->coeffs[i] = make_hint(a0->coeffs[i], a1->coeffs[i]);
- s += h->coeffs[i];
- }
-
- DBENCH_STOP(*tround);
- return s;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- b->coeffs[i] = use_hint(a->coeffs[i], h->coeffs[i]);
- }
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input coefficients were reduced by reduce32().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int32_t t;
- DBENCH_START();
-
- if (B > (DILITHIUM_Q - 1) / 8) {
- return 1;
- }
-
- /* It is ok to leak which coefficient violates the bound since
- the probability for each coefficient is independent of secret
- data but we must not leak the sign of the centralized representative. */
- for (i = 0; i < N; ++i) {
- /* Absolute value */
- t = a->coeffs[i] >> 31;
- t = a->coeffs[i] - (t & 2 * a->coeffs[i]);
-
- if (t >= B) {
- DBENCH_STOP(*tsample);
- return 1;
- }
- }
-
- DBENCH_STOP(*tsample);
- return 0;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen) {
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while (ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if (t < DILITHIUM_Q) {
- a[ctr++] = t;
- }
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-
-#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce) {
- unsigned int i, ctr, off;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
- stream128_state state;
-
- stream128_init(&state, seed, nonce);
- stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state);
-
- ctr = rej_uniform(a->coeffs, N, buf, buflen);
-
- while (ctr < N) {
- off = buflen % 3;
- for (i = 0; i < off; ++i) {
- buf[i] = buf[buflen - off + i];
- }
-
- stream128_squeezeblocks(buf + off, 1, &state);
- buflen = STREAM128_BLOCKBYTES + off;
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
- }
- stream128_release(&state);
-}
-
-void poly_uniformx2(poly *a0, poly *a1,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0, uint16_t nonce1) {
- unsigned int ctr0, ctr1;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES;
- uint8_t buf0[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
- uint8_t buf1[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
-
- keccakx2_state statex2;
- dilithium_shake128x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake128x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_NBLOCKS, &statex2);
-
- ctr0 = rej_uniform(a0->coeffs, N, buf0, buflen);
- ctr1 = rej_uniform(a1->coeffs, N, buf1, buflen);
-
- while (ctr0 < N || ctr1 < N) {
- shake128x2_squeezeblocks(buf0, buf1, 1, &statex2);
- ctr0 += rej_uniform(a0->coeffs + ctr0, N - ctr0, buf0, buflen);
- ctr1 += rej_uniform(a1->coeffs + ctr1, N - ctr1, buf1, buflen);
- }
-
-
-}
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen) {
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while (ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-
- if (t0 < 15) {
- t0 = t0 - (205 * t0 >> 10) * 5;
- a[ctr++] = 2 - t0;
- }
- if (t1 < 15 && ctr < len) {
- t1 = t1 - (205 * t1 >> 10) * 5;
- a[ctr++] = 2 - t1;
- }
-
-
-
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce) {
- unsigned int ctr;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr = rej_eta(a->coeffs, N, buf, buflen);
-
- while (ctr < N) {
- stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
- }
- stream256_release(&state);
-}
-
-void poly_uniform_etax2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1) {
- unsigned int ctr0, ctr1;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
-
- uint8_t buf0[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
- uint8_t buf1[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
-
- keccakx2_state statex2;
-
- dilithium_shake256x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake256x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_ETA_NBLOCKS, &statex2);
-
- ctr0 = rej_eta(a0->coeffs, N, buf0, buflen);
- ctr1 = rej_eta(a1->coeffs, N, buf1, buflen);
-
- while (ctr0 < N || ctr1 < N) {
- shake256x2_squeezeblocks(buf0, buf1, 1, &statex2);
- ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf0, STREAM256_BLOCKBYTES);
- ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf1, STREAM256_BLOCKBYTES);
- }
-}
-
-/*************************************************
-* Name: poly_uniform_gamma1m1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce) {
- uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- stream256_release(&state);
- polyz_unpack(a, buf);
-}
-
-void poly_uniform_gamma1x2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1) {
-
- uint8_t buf0[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
- uint8_t buf1[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
-
- keccakx2_state statex2;
-
- dilithium_shake256x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake256x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_GAMMA1_NBLOCKS, &statex2);
-
- polyz_unpack(a0, buf0);
- polyz_unpack(a1, buf1);
-
-}
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- uint8_t buf[SHAKE256_RATE];
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf, sizeof buf, &state);
-
- signs = 0;
- for (i = 0; i < 8; ++i) {
- signs |= (uint64_t)buf[i] << 8 * i;
- }
- pos = 8;
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = 0;
- }
- for (i = N - TAU; i < N; ++i) {
- do {
- if (pos >= SHAKE256_RATE) {
- shake256_inc_squeeze(buf, sizeof buf, &state);
- pos = 0;
- }
-
- b = buf[pos++];
- } while (b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2 * (signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-
- for (i = 0; i < N / 8; ++i) {
- t[0] = ETA - a->coeffs[8 * i + 0];
- t[1] = ETA - a->coeffs[8 * i + 1];
- t[2] = ETA - a->coeffs[8 * i + 2];
- t[3] = ETA - a->coeffs[8 * i + 3];
- t[4] = ETA - a->coeffs[8 * i + 4];
- t[5] = ETA - a->coeffs[8 * i + 5];
- t[6] = ETA - a->coeffs[8 * i + 6];
- t[7] = ETA - a->coeffs[8 * i + 7];
-
- r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-
- for (i = 0; i < N / 8; ++i) {
- r->coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7;
- r->coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7;
- r->coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7;
- r->coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7;
- r->coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7;
- r->coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7;
- r->coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7;
- r->coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7;
-
- r->coeffs[8 * i + 0] = ETA - r->coeffs[8 * i + 0];
- r->coeffs[8 * i + 1] = ETA - r->coeffs[8 * i + 1];
- r->coeffs[8 * i + 2] = ETA - r->coeffs[8 * i + 2];
- r->coeffs[8 * i + 3] = ETA - r->coeffs[8 * i + 3];
- r->coeffs[8 * i + 4] = ETA - r->coeffs[8 * i + 4];
- r->coeffs[8 * i + 5] = ETA - r->coeffs[8 * i + 5];
- r->coeffs[8 * i + 6] = ETA - r->coeffs[8 * i + 6];
- r->coeffs[8 * i + 7] = ETA - r->coeffs[8 * i + 7];
- }
-
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N / 4; ++i) {
- r[5 * i + 0] = (uint8_t) (a->coeffs[4 * i + 0] >> 0);
- r[5 * i + 1] = (uint8_t) ((a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2));
- r[5 * i + 2] = (uint8_t) ((a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4));
- r[5 * i + 3] = (uint8_t) ((a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6));
- r[5 * i + 4] = (uint8_t) (a->coeffs[4 * i + 3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_10_to_32(int32_t *, const uint8_t *);
-void polyt1_unpack(poly *r, const uint8_t *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM2_AARCH64__asm_10_to_32(r->coeffs, a);
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for (i = 0; i < N / 8; ++i) {
- t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0];
- t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1];
- t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2];
- t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3];
- t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4];
- t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5];
- t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6];
- t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7];
-
- r[13 * i + 0] = (uint8_t) t[0];
- r[13 * i + 1] = (uint8_t) (t[0] >> 8);
- r[13 * i + 1] |= (uint8_t) (t[1] << 5);
- r[13 * i + 2] = (uint8_t) (t[1] >> 3);
- r[13 * i + 3] = (uint8_t) (t[1] >> 11);
- r[13 * i + 3] |= (uint8_t) (t[2] << 2);
- r[13 * i + 4] = (uint8_t) (t[2] >> 6);
- r[13 * i + 4] |= (uint8_t) (t[3] << 7);
- r[13 * i + 5] = (uint8_t) (t[3] >> 1);
- r[13 * i + 6] = (uint8_t) (t[3] >> 9);
- r[13 * i + 6] |= (uint8_t) (t[4] << 4);
- r[13 * i + 7] = (uint8_t) (t[4] >> 4);
- r[13 * i + 8] = (uint8_t) (t[4] >> 12);
- r[13 * i + 8] |= (uint8_t) (t[5] << 1);
- r[13 * i + 9] = (uint8_t) (t[5] >> 7);
- r[13 * i + 9] |= (uint8_t) (t[6] << 6);
- r[13 * i + 10] = (uint8_t) (t[6] >> 2);
- r[13 * i + 11] = (uint8_t) (t[6] >> 10);
- r[13 * i + 11] |= (uint8_t) (t[7] << 3);
- r[13 * i + 12] = (uint8_t) (t[7] >> 5);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N / 8; ++i) {
- r->coeffs[8 * i + 0] = a[13 * i + 0];
- r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8;
- r->coeffs[8 * i + 0] &= 0x1FFF;
-
- r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5;
- r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3;
- r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11;
- r->coeffs[8 * i + 1] &= 0x1FFF;
-
- r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2;
- r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6;
- r->coeffs[8 * i + 2] &= 0x1FFF;
-
- r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7;
- r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1;
- r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9;
- r->coeffs[8 * i + 3] &= 0x1FFF;
-
- r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4;
- r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4;
- r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12;
- r->coeffs[8 * i + 4] &= 0x1FFF;
-
- r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1;
- r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7;
- r->coeffs[8 * i + 5] &= 0x1FFF;
-
- r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6;
- r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2;
- r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10;
- r->coeffs[8 * i + 6] &= 0x1FFF;
-
- r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3;
- r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5;
- r->coeffs[8 * i + 7] &= 0x1FFF;
-
- r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0];
- r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1];
- r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2];
- r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3];
- r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4];
- r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5];
- r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6];
- r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
- #if GAMMA1 == (1 << 17)
-
- for (i = 0; i < N / 4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4 * i + 0];
- t[1] = GAMMA1 - a->coeffs[4 * i + 1];
- t[2] = GAMMA1 - a->coeffs[4 * i + 2];
- t[3] = GAMMA1 - a->coeffs[4 * i + 3];
-
- r[9 * i + 0] = t[0];
- r[9 * i + 1] = t[0] >> 8;
- r[9 * i + 2] = t[0] >> 16;
- r[9 * i + 2] |= t[1] << 2;
- r[9 * i + 3] = t[1] >> 6;
- r[9 * i + 4] = t[1] >> 14;
- r[9 * i + 4] |= t[2] << 4;
- r[9 * i + 5] = t[2] >> 4;
- r[9 * i + 6] = t[2] >> 12;
- r[9 * i + 6] |= t[3] << 6;
- r[9 * i + 7] = t[3] >> 2;
- r[9 * i + 8] = t[3] >> 10;
- }
-
- #elif GAMMA1 == (1 << 19)
-
- for (i = 0; i < N / 2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2 * i + 0];
- t[1] = GAMMA1 - a->coeffs[2 * i + 1];
-
- r[5 * i + 0] = t[0];
- r[5 * i + 1] = t[0] >> 8;
- r[5 * i + 2] = t[0] >> 16;
- r[5 * i + 2] |= t[1] << 4;
- r[5 * i + 3] = t[1] >> 4;
- r[5 * i + 4] = t[1] >> 12;
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyz_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- #if GAMMA1 == (1 << 17)
-
- for (i = 0; i < N / 4; ++i) {
- r->coeffs[4 * i + 0] = a[9 * i + 0];
- r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 1] << 8;
- r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 2] << 16;
- r->coeffs[4 * i + 0] &= 0x3FFFF;
-
- r->coeffs[4 * i + 1] = a[9 * i + 2] >> 2;
- r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 3] << 6;
- r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 4] << 14;
- r->coeffs[4 * i + 1] &= 0x3FFFF;
-
- r->coeffs[4 * i + 2] = a[9 * i + 4] >> 4;
- r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 5] << 4;
- r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 6] << 12;
- r->coeffs[4 * i + 2] &= 0x3FFFF;
-
- r->coeffs[4 * i + 3] = a[9 * i + 6] >> 6;
- r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 7] << 2;
- r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 8] << 10;
- r->coeffs[4 * i + 3] &= 0x3FFFF;
-
- r->coeffs[4 * i + 0] = GAMMA1 - r->coeffs[4 * i + 0];
- r->coeffs[4 * i + 1] = GAMMA1 - r->coeffs[4 * i + 1];
- r->coeffs[4 * i + 2] = GAMMA1 - r->coeffs[4 * i + 2];
- r->coeffs[4 * i + 3] = GAMMA1 - r->coeffs[4 * i + 3];
- }
-
- #elif GAMMA1 == (1 << 19)
-
- for (i = 0; i < N / 2; ++i) {
- r->coeffs[2 * i + 0] = a[5 * i + 0];
- r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 1] << 8;
- r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 2] << 16;
- r->coeffs[2 * i + 0] &= 0xFFFFF;
-
- r->coeffs[2 * i + 1] = a[5 * i + 2] >> 4;
- r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 3] << 4;
- r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 4] << 12;
- r->coeffs[2 * i + 0] &= 0xFFFFF;
-
- r->coeffs[2 * i + 0] = GAMMA1 - r->coeffs[2 * i + 0];
- r->coeffs[2 * i + 1] = GAMMA1 - r->coeffs[2 * i + 1];
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyw1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- #if GAMMA2 == (DILITHIUM_Q-1)/88
-
- for (i = 0; i < N / 4; ++i) {
- r[3 * i + 0] = a->coeffs[4 * i + 0];
- r[3 * i + 0] |= a->coeffs[4 * i + 1] << 6;
- r[3 * i + 1] = a->coeffs[4 * i + 1] >> 2;
- r[3 * i + 1] |= a->coeffs[4 * i + 2] << 4;
- r[3 * i + 2] = a->coeffs[4 * i + 2] >> 4;
- r[3 * i + 2] |= a->coeffs[4 * i + 3] << 2;
- }
-
- #elif GAMMA2 == (DILITHIUM_Q-1)/32
-
- for (i = 0; i < N / 2; ++i) {
- r[i] = a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4);
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef POLY_H
-#define POLY_H
-#include "params.h"
-#include <stdint.h>
-
-typedef struct {
- int32_t coeffs[N];
-} poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-#define poly_freeze DILITHIUM_NAMESPACE(poly_freeze)
-void poly_freeze(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-#define poly_uniformx2 DILITHIUM_NAMESPACE(poly_uniformx2)
-void poly_uniformx2(poly *a0, poly *a1,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_etax2 DILITHIUM_NAMESPACE(poly_uniform_etax2)
-void poly_uniform_etax2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_gamma1x2 DILITHIUM_NAMESPACE(poly_uniform_gamma1x2)
-void poly_uniform_gamma1x2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t *r, const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t *a);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t *r, const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t *a);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t *r, const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t *a);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t *r, const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include <stdint.h>
-
-#include "reduce.h"
-
-static const int32_t l_montgomery_const[4] = {
- DILITHIUM_Q, DILITHIUM_QINV
-};
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
-
- for (j = 0; j < L; ++j) {
- for (i = 0; i < K; i += 2) {
- poly_uniformx2(&mat[i + 0].vec[j], &mat[i + 1].vec[j], rho, (uint16_t) ((i << 8) + j), (uint16_t) (((i + 1) << 8) + j));
- }
- }
-}
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
- }
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_uniform_eta(&v->vec[i], seed, nonce++);
- }
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < L - 1; i += 2) {
- poly_uniform_gamma1x2(&v->vec[i + 0], &v->vec[i + 1], seed, (uint16_t) (L * nonce + i + 0), (uint16_t) (L * nonce + i + 1));
- }
- if (L & 1) {
- poly_uniform_gamma1(&v->vec[i], seed, (uint16_t) (L * nonce + L - 1));
- }
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_reduce(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_freeze
-*
-* Description: Reduce coefficients of polynomials in vector of length L
-* to standard representatives.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_freeze(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_freeze(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_ntt(&v->vec[i]);
- }
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_invntt_tomont(&v->vec[i]);
- }
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-extern void PQCLEAN_DILITHIUM2_AARCH64__asm_polyvecl_pointwise_acc_montgomery(int32_t *, const int32_t *, const int32_t *, const int32_t *);
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v) {
- PQCLEAN_DILITHIUM2_AARCH64__asm_polyvecl_pointwise_acc_montgomery(w->coeffs, u->vec[0].coeffs, v->vec[0].coeffs, l_montgomery_const);
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- if (poly_chknorm(&v->vec[i], bound)) {
- return 1;
- }
- }
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_uniform_eta(&v->vec[i], seed, nonce++);
- }
-
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_reduce(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_caddq(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_freeze
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to standard representatives.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_freeze(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_freeze(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_shiftl(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_ntt(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_invntt_tomont(&v->vec[i]);
- }
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
- }
-}
-
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- if (poly_chknorm(&v->vec[i], bound)) {
- return 1;
- }
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - polyveck *h: pointer to output vector
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1) {
- unsigned int i, s = 0;
-
- for (i = 0; i < K; ++i) {
- s += poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
- }
-
- return s;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
- }
-}
-
-void polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]);
- }
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef POLYVEC_H
-#define POLYVEC_H
-#include "params.h"
-#include "poly.h"
-#include <stdint.h>
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_freeze DILITHIUM_NAMESPACE(polyvecl_freeze)
-void polyvecl_freeze(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-#define polyveck_freeze DILITHIUM_NAMESPACE(polyveck_freeze)
-void polyveck_freeze(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "params.h"
-#include "reduce.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: montgomery_reduce
-*
-* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
-* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
-*
-* Arguments: - int64_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t montgomery_reduce(int64_t a) {
- int32_t t;
-
- t = (int32_t)((uint64_t)a * (uint64_t)DILITHIUM_QINV);
- t = (a - (int64_t)t * DILITHIUM_Q) >> 32;
- return t;
-}
-
-/*************************************************
-* Name: reduce32
-*
-* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t reduce32(int32_t a) {
- int32_t t;
-
- t = (a + (1 << 22)) >> 23;
- t = a - t * DILITHIUM_Q;
- return t;
-}
-
-/*************************************************
-* Name: caddq
-*
-* Description: Add Q if input coefficient is negative.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t caddq(int32_t a) {
- a += (a >> 31) & DILITHIUM_Q;
- return a;
-}
-
-/*************************************************
-* Name: freeze
-*
-* Description: For finite field element a, compute standard
-* representative r = a mod^+ Q.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t freeze(int32_t a) {
- a = reduce32(a);
- a = caddq(a);
- return a;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef REDUCE_H
-#define REDUCE_H
-#include "params.h"
-#include <stdint.h>
-
-#define DILITHIUM_QINV 58728449 // q^(-1) mod 2^32
-
-#define montgomery_reduce DILITHIUM_NAMESPACE(montgomery_reduce)
-int32_t montgomery_reduce(int64_t a);
-
-#define reduce32 DILITHIUM_NAMESPACE(reduce32)
-int32_t reduce32(int32_t a);
-
-#define caddq DILITHIUM_NAMESPACE(caddq)
-int32_t caddq(int32_t a);
-
-#define freeze DILITHIUM_NAMESPACE(freeze)
-int32_t freeze(int32_t a);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "params.h"
-#include "rounding.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field element a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be standard representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t power2round(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + (1 << (D - 1)) - 1) >> D;
- *a0 = a - (a1 << D);
- return a1;
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low bits a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard
-* representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t decompose(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + 127) >> 7;
- #if GAMMA2 == (DILITHIUM_Q-1)/32
-
- a1 = (a1 * 1025 + (1 << 21)) >> 22;
- a1 &= 15;
-
- #elif GAMMA2 == (DILITHIUM_Q-1)/88
-
- a1 = (a1 * 11275 + (1 << 23)) >> 24;
- a1 ^= ((43 - a1) >> 31) & a1;
-
- #else
-
-#error "No parameter specified"
-
- #endif
-
- *a0 = a - a1 * 2 * GAMMA2;
- *a0 -= (((DILITHIUM_Q - 1) / 2 - *a0) >> 31) & DILITHIUM_Q;
- return a1;
-}
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute hint bit indicating whether the low bits of the
-* input element overflow into the high bits.
-*
-* Arguments: - int32_t a0: low bits of input element
-* - int32_t a1: high bits of input element
-*
-* Returns 1 if overflow.
-**************************************************/
-unsigned int make_hint(int32_t a0, int32_t a1) {
- if (a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0)) {
- return 1;
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high bits according to hint.
-*
-* Arguments: - int32_t a: input element
-* - unsigned int hint: hint bit
-*
-* Returns corrected high bits.
-**************************************************/
-int32_t use_hint(int32_t a, unsigned int hint) {
- int32_t a0, a1;
-
- a1 = decompose(&a0, a);
- if (hint == 0) {
- return a1;
- }
-
- #if GAMMA2 == (DILITHIUM_Q-1)/32
-
- if (a0 > 0) {
- return (a1 + 1) & 15;
- }
- return (a1 - 1) & 15;
- #elif GAMMA2 == (DILITHIUM_Q-1)/88
-
- if (a0 > 0) {
- return (a1 == 43) ? 0 : a1 + 1;
- }
- return (a1 == 0) ? 43 : a1 - 1;
- #endif
-
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef ROUNDING_H
-#define ROUNDING_H
-#include "params.h"
-#include <stdint.h>
-
-#define power2round DILITHIUM_NAMESPACE(power2round)
-int32_t power2round(int32_t *a0, int32_t a);
-
-#define decompose DILITHIUM_NAMESPACE(decompose)
-int32_t decompose(int32_t *a0, int32_t a);
-
-#define make_hint DILITHIUM_NAMESPACE(make_hint)
-unsigned int make_hint(int32_t a0, int32_t a1);
-
-#define use_hint DILITHIUM_NAMESPACE(use_hint)
-int32_t use_hint(int32_t a, unsigned int hint);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "fips202.h"
-#include "packing.h"
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include "randombytes.h"
-#include "sign.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
- const uint8_t *rho, *rhoprime, *key;
- polyvecl mat[K];
- polyvecl s1, s1hat;
- polyveck s2, t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Expand matrix */
- polyvec_matrix_expand(mat, rho);
-
- /* Sample short vectors s1 and s2 */
- polyvecl_uniform_eta(&s1, rhoprime, 0);
- polyveck_uniform_eta(&s2, rhoprime, L);
-
- /* Matrix-vector multiplication */
- s1hat = s1;
- polyvecl_ntt(&s1hat);
- polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat);
- polyveck_reduce(&t1);
- polyveck_invntt_tomont(&t1);
-
- /* Add error vector s2 */
- polyveck_add(&t1, &t1, &s2);
-
- /* Extract t1 and write public key */
- polyveck_caddq(&t1);
- polyveck_power2round(&t1, &t0, &t1);
- pack_pk(pk, rho, &t1);
-
- /* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk) {
- unsigned int n;
- uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint16_t nonce = 0;
- polyvecl mat[K], s1, y, z;
- polyveck t0, s2, w1, w0, h;
- poly cp;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- // liboqs uses randomized signing for the reference and
- // avx2 implementations of dilithium. pqclean currently
- // doesn't support randomized signing, so this is patched
- // in. If/when pqclean adds randomized signing to dilithium
- // this will need to be updated.
- randombytes(rhoprime, CRHBYTES);
- //shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-rej:
- /* Sample intermediate vector y */
- polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
-
- /* Matrix-vector multiplication */
- z = y;
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- poly_challenge(&cp, sig);
- poly_ntt(&cp);
-
- /* Compute z, reject if it reveals secret */
- polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
- polyvecl_invntt_tomont(&z);
- polyvecl_add(&z, &z, &y);
- polyvecl_reduce(&z);
- if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
- goto rej;
- }
-
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
- polyveck_invntt_tomont(&h);
- polyveck_sub(&w0, &w0, &h);
- polyveck_reduce(&w0);
- if (polyveck_chknorm(&w0, GAMMA2 - BETA)) {
- goto rej;
- }
-
- /* Compute hints for w1 */
- polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
- polyveck_invntt_tomont(&h);
- polyveck_reduce(&h);
- if (polyveck_chknorm(&h, GAMMA2)) {
- goto rej;
- }
-
- polyveck_add(&w0, &w0, &h);
- n = polyveck_make_hint(&h, &w0, &w1);
- if (n > OMEGA) {
- goto rej;
- }
-
- /* Write signature */
- pack_sig(sig, sig, &z, &h);
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk) {
- size_t i;
-
- for (i = 0; i < mlen; ++i) {
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- }
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
- size_t siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pk) {
- unsigned int i;
- uint8_t buf[K * POLYW1_PACKEDBYTES];
- uint8_t rho[SEEDBYTES];
- uint8_t mu[CRHBYTES];
- uint8_t c[SEEDBYTES];
- uint8_t c2[SEEDBYTES];
- poly cp;
- polyvecl mat[K], z;
- polyveck t1, w1, h;
- shake256incctx state;
-
- if (siglen != CRYPTO_BYTES) {
- return -1;
- }
-
- unpack_pk(rho, &t1, pk);
- if (unpack_sig(c, &z, &h, sig)) {
- return -1;
- }
- if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
- return -1;
- }
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- /* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
- polyvec_matrix_expand(mat, rho);
-
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-
- poly_ntt(&cp);
- polyveck_shiftl(&t1);
- polyveck_ntt(&t1);
- polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
-
- polyveck_sub(&w1, &w1, &t1);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Reconstruct w1 */
- polyveck_caddq(&w1);
- polyveck_use_hint(&w1, &w1, &h);
- polyveck_pack_w1(buf, &w1);
-
- /* Call random oracle and verify challenge */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(c2, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for (i = 0; i < SEEDBYTES; ++i) {
- if (c[i] != c2[i]) {
- return -1;
- }
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m,
- size_t *mlen,
- const uint8_t *sm,
- size_t smlen,
- const uint8_t *pk) {
- size_t i;
-
- if (smlen < CRYPTO_BYTES) {
- goto badsig;
- }
-
- *mlen = smlen - CRYPTO_BYTES;
- if (crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk)) {
- goto badsig;
- } else {
- /* All good, copy msg, return 0 */
- for (i = 0; i < *mlen; ++i) {
- m[i] = sm[CRYPTO_BYTES + i];
- }
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = (size_t) -1;
- for (i = 0; i < smlen; ++i) {
- m[i] = 0;
- }
-
- return -1;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef SIGN_H
-#define SIGN_H
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include <stddef.h>
-#include <stdint.h>
-
-
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "fips202.h"
-#include "params.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
- uint8_t t[2];
- t[0] = (uint8_t) nonce;
- t[1] = (uint8_t) (nonce >> 8);
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- uint8_t t[2];
- t[0] = (uint8_t) nonce;
- t[1] = (uint8_t) (nonce >> 8);
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
-
-void dilithium_shake128x2_stream_init(keccakx2_state *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce1, uint16_t nonce2) {
- unsigned int i;
- uint8_t extseed1[SEEDBYTES + 2 + 14];
- uint8_t extseed2[SEEDBYTES + 2 + 14];
-
- for (i = 0; i < SEEDBYTES; i++) {
- extseed1[i] = seed[i];
- extseed2[i] = seed[i];
- }
- extseed1[SEEDBYTES] = (uint8_t) nonce1;
- extseed1[SEEDBYTES + 1] = (uint8_t) (nonce1 >> 8);
-
- extseed2[SEEDBYTES ] = (uint8_t) nonce2;
- extseed2[SEEDBYTES + 1] = (uint8_t) (nonce2 >> 8);
-
- shake128x2_absorb(state, extseed1, extseed2, SEEDBYTES + 2);
-}
-
-void dilithium_shake256x2_stream_init(keccakx2_state *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce1, uint16_t nonce2) {
- unsigned int i;
- uint8_t extseed1[CRHBYTES + 2 + 14];
- uint8_t extseed2[CRHBYTES + 2 + 14];
-
- for (i = 0; i < CRHBYTES; i++) {
- extseed1[i] = seed[i];
- extseed2[i] = seed[i];
- }
- extseed1[CRHBYTES] = (uint8_t) nonce1;
- extseed1[CRHBYTES + 1] = (uint8_t) (nonce1 >> 8);
-
- extseed2[CRHBYTES ] = (uint8_t) nonce2;
- extseed2[CRHBYTES + 1] = (uint8_t) (nonce2 >> 8);
-
- shake256x2_absorb(state, extseed1, extseed2, CRHBYTES + 2);
-}
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-#include "fips202.h"
-#include "fips202x2.h"
-#include "params.h"
-#include <stdint.h>
-
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-
-#define dilithium_shake128x2_stream_init DILITHIUM_NAMESPACE(dilithium_shake128x2_stream_init)
-void dilithium_shake128x2_stream_init(keccakx2_state *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce1, uint16_t nonce2);
-#define dilithium_shake256x2_stream_init DILITHIUM_NAMESPACE(dilithium_shake256x2_stream_init)
-void dilithium_shake256x2_stream_init(keccakx2_state *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce1, uint16_t nonce2);
-
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-
-#endif
+++ /dev/null
-Creative Commons Legal Code
-
-CC0 1.0 Universal
-
- CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
- LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
- ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
- INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
- REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
- PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
- THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
- HEREUNDER.
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator
-and subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for
-the purpose of contributing to a commons of creative, cultural and
-scientific works ("Commons") that the public can reliably and without fear
-of later claims of infringement build upon, modify, incorporate in other
-works, reuse and redistribute as freely as possible in any form whatsoever
-and for any purposes, including without limitation commercial purposes.
-These owners may contribute to the Commons to promote the ideal of a free
-culture and the further production of creative, cultural and scientific
-works, or to gain reputation or greater distribution for their Work in
-part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any
-expectation of additional consideration or compensation, the person
-associating CC0 with a Work (the "Affirmer"), to the extent that he or she
-is an owner of Copyright and Related Rights in the Work, voluntarily
-elects to apply CC0 to the Work and publicly distribute the Work under its
-terms, with knowledge of his or her Copyright and Related Rights in the
-Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not
-limited to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display,
- communicate, and translate a Work;
- ii. moral rights retained by the original author(s) and/or performer(s);
-iii. publicity and privacy rights pertaining to a person's image or
- likeness depicted in a Work;
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
- v. rights protecting the extraction, dissemination, use and reuse of data
- in a Work;
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation
- thereof, including any amended or successor version of such
- directive); and
-vii. other similar, equivalent or corresponding rights throughout the
- world based on applicable law or treaty, and any national
- implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention
-of, applicable law, Affirmer hereby overtly, fully, permanently,
-irrevocably and unconditionally waives, abandons, and surrenders all of
-Affirmer's Copyright and Related Rights and associated claims and causes
-of action, whether now known or unknown (including existing as well as
-future claims and causes of action), in the Work (i) in all territories
-worldwide, (ii) for the maximum duration provided by applicable law or
-treaty (including future time extensions), (iii) in any current or future
-medium and for any number of copies, and (iv) for any purpose whatsoever,
-including without limitation commercial, advertising or promotional
-purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
-member of the public at large and to the detriment of Affirmer's heirs and
-successors, fully intending that such Waiver shall not be subject to
-revocation, rescission, cancellation, termination, or any other legal or
-equitable action to disrupt the quiet enjoyment of the Work by the public
-as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason
-be judged legally invalid or ineffective under applicable law, then the
-Waiver shall be preserved to the maximum extent permitted taking into
-account Affirmer's express Statement of Purpose. In addition, to the
-extent the Waiver is so judged Affirmer hereby grants to each affected
-person a royalty-free, non transferable, non sublicensable, non exclusive,
-irrevocable and unconditional license to exercise Affirmer's Copyright and
-Related Rights in the Work (i) in all territories worldwide, (ii) for the
-maximum duration provided by applicable law or treaty (including future
-time extensions), (iii) in any current or future medium and for any number
-of copies, and (iv) for any purpose whatsoever, including without
-limitation commercial, advertising or promotional purposes (the
-"License"). The License shall be deemed effective as of the date CC0 was
-applied by Affirmer to the Work. Should any part of the License for any
-reason be judged legally invalid or ineffective under applicable law, such
-partial invalidity or ineffectiveness shall not invalidate the remainder
-of the License, and in such case Affirmer hereby affirms that he or she
-will not (i) exercise any of his or her remaining Copyright and Related
-Rights in the Work or (ii) assert any associated claims and causes of
-action with respect to the Work, in either case contrary to Affirmer's
-express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
- b. Affirmer offers the Work as-is and makes no representations or
- warranties of any kind concerning the Work, express, implied,
- statutory or otherwise, including without limitation warranties of
- title, merchantability, fitness for a particular purpose, non
- infringement, or the absence of latent or other defects, accuracy, or
- the present or absence of errors, whether or not discoverable, all to
- the greatest extent permissible under applicable law.
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without
- limitation any person's Copyright and Related Rights in the Work.
- Further, Affirmer disclaims responsibility for obtaining any necessary
- consents, permissions or other rights required for any use of the
- Work.
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to
- this CC0 or use of the Work.
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef NTT_PARAMS_H
-#define NTT_PARAMS_H
-
-#define ARRAY_N 256
-
-#define NTT_N 256
-#define LOGNTT_N 8
-
-// root of unity: 1753
-
-
-// Q1
-#define Q1 8380417
-// omegaQ1 = 1753 mod Q1
-#define omegaQ1 1753
-// invomegaQ1 = omegaQ^{-1} mod Q1
-#define invomegaQ1 731434
-// R = 2^32 below
-// RmodQ1 = 2^32 mod^{+-} Q1
-#define RmodQ1 (-4186625)
-// Q1prime = Q1^{-1} mod^{+-} 2^32
-#define Q1prime 58728449
-// invNQ1 = NTT_N^{-1} mod Q1
-#define invNQ1 8347681
-
-// invNQ1R2modQ1 = -NTT_N^{-1} 2^32 2^32 mod^{+-} Q1 below
-#define invNQ1R2modQ1 (-41978)
-// invNQ1R2modQ1_prime = invNQ1R2modQ1 (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1R2modQ1_prime 8395782
-// invNQ1R2modQ1_prime_half = (invNQ1R2modQ1 / 2) (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1R2modQ1_prime_half 4197891
-// invNQ1R2modQ1_doubleprime = (invNQ1R2modQ1_prime Q1 - invNQ1R2modQ1) / 2^32
-#define invNQ1R2modQ1_doubleprime 16382
-
-// invNQ1_final_R2modQ1 = -invNQ1R2modQ1 invomegaQ1^{128} mod q
-#define invNQ1_final_R2modQ1 4404704
-// invNQ1_final_R2modQ1_prime = invNQ1_final_R2modQ1 (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1_final_R2modQ1_prime (-151046688)
-// invNQ1_final_R2modQ1_prime_half = (invNQ1_final_R2modQ1 / 2) (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1_final_R2modQ1_prime_half (-75523344)
-// invNQ1_final_R2modQ1_doubleprime = (invNQ1_final_R2modQ1_prime Q1 - invNQ1_final_R2modQ1) / 2^32
-#define invNQ1_final_R2modQ1_doubleprime (-294725)
-
-// RmodQ1_prime = -(RmodQ1 + Q1) Q1prime mod^{+-} 2^32
-#define RmodQ1_prime 512
-// RmodQ1_prime_half = ( -(RmodQ1 + Q1) / 2) Q1prime mod^{+-} 2^32
-#define RmodQ1_prime_half 256
-// RmodQ1_doubleprime = (RmodQ1_prime Q1 - RmodQ1_prime ) / 2^32
-#define RmodQ1_doubleprime 1
-
-#endif
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_top
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_top
-PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_top:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_top:
-
- push_all
- Q .req w20
- src0 .req x0
- src1 .req x1
- src2 .req x2
- src3 .req x3
- src4 .req x4
- src5 .req x5
- src6 .req x6
- src7 .req x7
- src8 .req x8
- src9 .req x9
- src10 .req x10
- src11 .req x11
- src12 .req x12
- src13 .req x13
- src14 .req x14
- src15 .req x15
- table .req x28
- counter .req x19
-
- ldr Q, [x2]
-
- mov table, x1
-
- add src1, src0, #64
- add src2, src0, #128
-
- add src3, src0, #192
- add src4, src0, #256
-
- add src5, src0, #320
- add src6, src0, #384
-
- add src7, src0, #448
- add src8, src0, #512
-
- add src9, src0, #576
- add src10, src0, #640
-
- add src11, src0, #704
- add src12, src0, #768
-
- add src13, src0, #832
- add src14, src0, #896
-
- add src15, src0, #960
-
- ld1 {v20.4S, v21.4S, v22.4S, v23.4S}, [table], #64
- ld1 {v24.4S, v25.4S, v26.4S, v27.4S}, [table], #64
-
- mov v20.S[0], Q
-
- ld1 { v1.4S}, [ src1]
- ld1 { v3.4S}, [ src3]
- ld1 { v5.4S}, [ src5]
- ld1 { v7.4S}, [ src7]
- ld1 { v9.4S}, [ src9]
- ld1 {v11.4S}, [src11]
- ld1 {v13.4S}, [src13]
- ld1 {v15.4S}, [src15]
-
- ld1 { v0.4S}, [ src0]
- ld1 { v2.4S}, [ src2]
- ld1 { v4.4S}, [ src4]
- ld1 { v6.4S}, [ src6]
- ld1 { v8.4S}, [ src8]
- ld1 {v10.4S}, [src10]
- ld1 {v12.4S}, [src12]
- ld1 {v14.4S}, [src14]
-
- qq_butterfly_top v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_bot v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
-
- mov counter, #3
- _ntt_top_loop:
-
- st1 { v1.4S}, [ src1], #16
- ld1 { v1.4S}, [ src1]
- st1 { v3.4S}, [ src3], #16
- ld1 { v3.4S}, [ src3]
- st1 { v5.4S}, [ src5], #16
- ld1 { v5.4S}, [ src5]
- st1 { v7.4S}, [ src7], #16
- ld1 { v7.4S}, [ src7]
- st1 { v9.4S}, [ src9], #16
- ld1 { v9.4S}, [ src9]
- st1 {v11.4S}, [src11], #16
- ld1 {v11.4S}, [src11]
- st1 {v13.4S}, [src13], #16
- ld1 {v13.4S}, [src13]
- st1 {v15.4S}, [src15], #16
- ld1 {v15.4S}, [src15]
-
- st1 { v0.4S}, [ src0], #16
- ld1 { v0.4S}, [ src0]
- st1 { v2.4S}, [ src2], #16
- ld1 { v2.4S}, [ src2]
- st1 { v4.4S}, [ src4], #16
- ld1 { v4.4S}, [ src4]
- st1 { v6.4S}, [ src6], #16
- ld1 { v6.4S}, [ src6]
- st1 { v8.4S}, [ src8], #16
- ld1 { v8.4S}, [ src8]
- st1 {v10.4S}, [src10], #16
- ld1 {v10.4S}, [src10]
- st1 {v12.4S}, [src12], #16
- ld1 {v12.4S}, [src12]
- st1 {v14.4S}, [src14], #16
- ld1 {v14.4S}, [src14]
-
- qq_butterfly_top v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_bot v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
-
- sub counter, counter, #1
- cbnz counter, _ntt_top_loop
-
- st1 { v1.4S}, [ src1], #16
- st1 { v3.4S}, [ src3], #16
- st1 { v5.4S}, [ src5], #16
- st1 { v7.4S}, [ src7], #16
- st1 { v9.4S}, [ src9], #16
- st1 {v11.4S}, [src11], #16
- st1 {v13.4S}, [src13], #16
- st1 {v15.4S}, [src15], #16
-
- st1 { v0.4S}, [ src0], #16
- st1 { v2.4S}, [ src2], #16
- st1 { v4.4S}, [ src4], #16
- st1 { v6.4S}, [ src6], #16
- st1 { v8.4S}, [ src8], #16
- st1 {v10.4S}, [src10], #16
- st1 {v12.4S}, [src12], #16
- st1 {v14.4S}, [src14], #16
-
- .unreq Q
- .unreq src0
- .unreq src1
- .unreq src2
- .unreq src3
- .unreq src4
- .unreq src5
- .unreq src6
- .unreq src7
- .unreq src8
- .unreq src9
- .unreq src10
- .unreq src11
- .unreq src12
- .unreq src13
- .unreq src14
- .unreq src15
- .unreq table
- .unreq counter
- pop_all
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_bot
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_bot
-PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_bot:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_bot:
-
- push_all
- Q .req w20
- src0 .req x0
- des0 .req x1
- src1 .req x2
- des1 .req x3
- table0 .req x28
- table1 .req x27
- counter .req x19
-
- ldr Q, [x2]
-
- add table0, x1, #128
- add table1, table0, #1024
-
- add src1, src0, #512
-
- add des0, src0, #0
- add des1, src0, #512
-
- mov counter, #8
- _ntt_bot_loop:
-
- ld1 { v0.4S, v1.4S, v2.4S, v3.4S}, [src0], #64
- ld1 { v16.4S, v17.4S, v18.4S, v19.4S}, [src1], #64
-
- ld1 { v4.4S, v5.4S}, [table0], #32
- ld2 { v6.4S, v7.4S}, [table0], #32
- ld4 { v8.4S, v9.4S, v10.4S, v11.4S}, [table0], #64
- ld1 { v20.4S, v21.4S}, [table1], #32
- ld2 { v22.4S, v23.4S}, [table1], #32
- ld4 { v24.4S, v25.4S, v26.4S, v27.4S}, [table1], #64
-
- mov v4.S[0], Q
-
- dq_butterfly_top v0, v1, v2, v3, v12, v13, v4, v4, 2, 3, v4, 2, 3
- dq_butterfly_mixed v0, v1, v2, v3, v12, v13, v16, v17, v18, v19, v28, v29, v4, v4, 2, 3, v4, 2, 3, v20, 2, 3, v20, 2, 3
- dq_butterfly_mixed v16, v17, v18, v19, v28, v29, v0, v2, v1, v3, v12, v13, v4, v20, 2, 3, v20, 2, 3, v5, 0, 1, v5, 2, 3
- dq_butterfly_mixed v0, v2, v1, v3, v12, v13, v16, v18, v17, v19, v28, v29, v4, v5, 0, 1, v5, 2, 3, v21, 0, 1, v21, 2, 3
- dq_butterfly_bot v16, v18, v17, v19, v28, v29, v4, v21, 0, 1, v21, 2, 3
-
- trn_4x4 v0, v1, v2, v3, v12, v13, v14, v15
- trn_4x4 v16, v17, v18, v19, v28, v29, v30, v31
-
- dq_butterfly_vec_top v0, v1, v2, v3, v12, v13, v4, v6, v7, v6, v7
- dq_butterfly_vec_mixed v0, v1, v2, v3, v12, v13, v16, v17, v18, v19, v28, v29, v4, v6, v7, v6, v7, v22, v23, v22, v23
- dq_butterfly_vec_mixed v16, v17, v18, v19, v28, v29, v0, v2, v1, v3, v12, v13, v4, v22, v23, v22, v23, v8, v9, v10, v11
- dq_butterfly_vec_mixed v0, v2, v1, v3, v12, v13, v16, v18, v17, v19, v28, v29, v4, v8, v9, v10, v11, v24, v25, v26, v27
- dq_butterfly_vec_bot v16, v18, v17, v19, v28, v29, v4, v24, v25, v26, v27
-
- st4 { v0.4S, v1.4S, v2.4S, v3.4S}, [des0], #64
- st4 { v16.4S, v17.4S, v18.4S, v19.4S}, [des1], #64
-
- sub counter, counter, #1
- cbnz counter, _ntt_bot_loop
-
- .unreq Q
- .unreq src0
- .unreq des0
- .unreq src1
- .unreq des1
- .unreq table0
- .unreq table1
- .unreq counter
- pop_all
-
- br lr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_top
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_top
-PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_top:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_top:
-
- push_all
- Q .req w20
- Qhalf .req w21
- nQhalf .req w22
- invNR2ph .req w24
- invNR2dp .req w25
- invNWR2ph .req w26
- invNWR2dp .req w27
- src0 .req x0
- src1 .req x1
- src2 .req x2
- src3 .req x3
- src4 .req x4
- src5 .req x5
- src6 .req x6
- src7 .req x7
- src8 .req x8
- src9 .req x9
- src10 .req x10
- src11 .req x11
- src12 .req x12
- src13 .req x13
- src14 .req x14
- src15 .req x15
- table .req x28
- counter .req x19
-
- ldr Q, [x2, #0]
- lsr Qhalf, Q, #1
- neg nQhalf, Qhalf
-
- ldr invNR2ph, [x2, #16]
- ldr invNR2dp, [x2, #20]
- ldr invNWR2ph, [x2, #24]
- ldr invNWR2dp, [x2, #28]
-
- mov table, x1
-
- add src1, src0, #64
- add src2, src0, #128
-
- add src3, src0, #192
- add src4, src0, #256
-
- add src5, src0, #320
- add src6, src0, #384
-
- add src7, src0, #448
- add src8, src0, #512
-
- add src9, src0, #576
- add src10, src0, #640
-
- add src11, src0, #704
- add src12, src0, #768
-
- add src13, src0, #832
- add src14, src0, #896
-
- add src15, src0, #960
-
- ld1 {v20.4S, v21.4S, v22.4S, v23.4S}, [table], #64
- ld1 {v24.4S, v25.4S, v26.4S, v27.4S}, [table], #64
-
- mov v20.S[0], Q
-
- ld1 { v0.4S}, [ src0]
- ld1 { v1.4S}, [ src1]
- ld1 { v2.4S}, [ src2]
- ld1 { v3.4S}, [ src3]
- ld1 { v4.4S}, [ src4]
- ld1 { v5.4S}, [ src5]
- ld1 { v6.4S}, [ src6]
- ld1 { v7.4S}, [ src7]
-
- ld1 { v8.4S}, [ src8]
- ld1 { v9.4S}, [ src9]
- ld1 {v10.4S}, [src10]
- ld1 {v11.4S}, [src11]
- ld1 {v12.4S}, [src12]
- ld1 {v13.4S}, [src13]
- ld1 {v14.4S}, [src14]
- ld1 {v15.4S}, [src15]
-
- qq_butterfly_bot v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed_rev v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_mixed_rev v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3
- qq_butterfly_mixed_rev v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v20, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3
- qq_butterfly_mixed_rev v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v20, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1
- qq_butterfly_mixed_rev v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
- qq_butterfly_top v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
-
- mov v20.S[2], invNWR2ph
- mov v20.S[3], invNWR2dp
-
- qq_sub_add v16, v17, v18, v19, v28, v29, v30, v31, v0, v2, v4, v6, v8, v10, v12, v14
- qq_sub_add v0, v2, v4, v6, v8, v10, v12, v14, v1, v3, v5, v7, v9, v11, v13, v15
-
- qq_montgomery_mul v9, v11, v13, v15, v8, v10, v12, v14, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- mov v20.S[2], invNR2ph
- mov v20.S[3], invNR2dp
-
- qq_montgomery_mul v1, v3, v5, v7, v0, v2, v4, v6, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v0, v2, v4, v6, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- dup v29.4S, Q
- dup v30.4S, Qhalf
- dup v31.4S, nQhalf
-
- cmge v18.4S, v31.4S, v0.4S
- cmge v19.4S, v31.4S, v1.4S
- cmge v16.4S, v0.4S, v30.4S
- cmge v17.4S, v1.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v0.4S, v16.4S, v29.4S
- mla v1.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v2.4S
- cmge v19.4S, v31.4S, v3.4S
- cmge v16.4S, v2.4S, v30.4S
- cmge v17.4S, v3.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v2.4S, v16.4S, v29.4S
- mla v3.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v4.4S
- cmge v19.4S, v31.4S, v5.4S
- cmge v16.4S, v4.4S, v30.4S
- cmge v17.4S, v5.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v4.4S, v16.4S, v29.4S
- mla v5.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v6.4S
- cmge v19.4S, v31.4S, v7.4S
- cmge v16.4S, v6.4S, v30.4S
- cmge v17.4S, v7.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v6.4S, v16.4S, v29.4S
- mla v7.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v8.4S
- cmge v19.4S, v31.4S, v9.4S
- cmge v16.4S, v8.4S, v30.4S
- cmge v17.4S, v9.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v8.4S, v16.4S, v29.4S
- mla v9.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v10.4S
- cmge v19.4S, v31.4S, v11.4S
- cmge v16.4S, v10.4S, v30.4S
- cmge v17.4S, v11.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v10.4S, v16.4S, v29.4S
- mla v11.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v12.4S
- cmge v19.4S, v31.4S, v13.4S
- cmge v16.4S, v12.4S, v30.4S
- cmge v17.4S, v13.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v12.4S, v16.4S, v29.4S
- mla v13.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v14.4S
- cmge v19.4S, v31.4S, v15.4S
- cmge v16.4S, v14.4S, v30.4S
- cmge v17.4S, v15.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v14.4S, v16.4S, v29.4S
- mla v15.4S, v17.4S, v29.4S
-
- mov counter, #3
- _intt_top_loop:
-
- st1 { v0.4S}, [ src0], #16
- ld1 { v0.4S}, [ src0]
- st1 { v1.4S}, [ src1], #16
- ld1 { v1.4S}, [ src1]
- st1 { v2.4S}, [ src2], #16
- ld1 { v2.4S}, [ src2]
- st1 { v3.4S}, [ src3], #16
- ld1 { v3.4S}, [ src3]
- st1 { v4.4S}, [ src4], #16
- ld1 { v4.4S}, [ src4]
- st1 { v5.4S}, [ src5], #16
- ld1 { v5.4S}, [ src5]
- st1 { v6.4S}, [ src6], #16
- ld1 { v6.4S}, [ src6]
- st1 { v7.4S}, [ src7], #16
- ld1 { v7.4S}, [ src7]
-
- st1 { v8.4S}, [ src8], #16
- ld1 { v8.4S}, [ src8]
- st1 { v9.4S}, [ src9], #16
- ld1 { v9.4S}, [ src9]
- st1 {v10.4S}, [src10], #16
- ld1 {v10.4S}, [src10]
- st1 {v11.4S}, [src11], #16
- ld1 {v11.4S}, [src11]
- st1 {v12.4S}, [src12], #16
- ld1 {v12.4S}, [src12]
- st1 {v13.4S}, [src13], #16
- ld1 {v13.4S}, [src13]
- st1 {v14.4S}, [src14], #16
- ld1 {v14.4S}, [src14]
- st1 {v15.4S}, [src15], #16
- ld1 {v15.4S}, [src15]
-
- qq_butterfly_bot v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed_rev v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_mixed_rev v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3
- qq_butterfly_mixed_rev v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v20, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3
- qq_butterfly_mixed_rev v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v20, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1
- qq_butterfly_mixed_rev v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
- qq_butterfly_top v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
-
- mov v20.S[2], invNWR2ph
- mov v20.S[3], invNWR2dp
-
- qq_sub_add v16, v17, v18, v19, v28, v29, v30, v31, v0, v2, v4, v6, v8, v10, v12, v14
- qq_sub_add v0, v2, v4, v6, v8, v10, v12, v14, v1, v3, v5, v7, v9, v11, v13, v15
-
- qq_montgomery_mul v9, v11, v13, v15, v8, v10, v12, v14, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- mov v20.S[2], invNR2ph
- mov v20.S[3], invNR2dp
-
- qq_montgomery_mul v1, v3, v5, v7, v0, v2, v4, v6, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v0, v2, v4, v6, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- dup v29.4S, Q
- dup v30.4S, Qhalf
- dup v31.4S, nQhalf
-
- cmge v18.4S, v31.4S, v0.4S
- cmge v19.4S, v31.4S, v1.4S
- cmge v16.4S, v0.4S, v30.4S
- cmge v17.4S, v1.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v0.4S, v16.4S, v29.4S
- mla v1.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v2.4S
- cmge v19.4S, v31.4S, v3.4S
- cmge v16.4S, v2.4S, v30.4S
- cmge v17.4S, v3.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v2.4S, v16.4S, v29.4S
- mla v3.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v4.4S
- cmge v19.4S, v31.4S, v5.4S
- cmge v16.4S, v4.4S, v30.4S
- cmge v17.4S, v5.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v4.4S, v16.4S, v29.4S
- mla v5.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v6.4S
- cmge v19.4S, v31.4S, v7.4S
- cmge v16.4S, v6.4S, v30.4S
- cmge v17.4S, v7.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v6.4S, v16.4S, v29.4S
- mla v7.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v8.4S
- cmge v19.4S, v31.4S, v9.4S
- cmge v16.4S, v8.4S, v30.4S
- cmge v17.4S, v9.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v8.4S, v16.4S, v29.4S
- mla v9.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v10.4S
- cmge v19.4S, v31.4S, v11.4S
- cmge v16.4S, v10.4S, v30.4S
- cmge v17.4S, v11.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v10.4S, v16.4S, v29.4S
- mla v11.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v12.4S
- cmge v19.4S, v31.4S, v13.4S
- cmge v16.4S, v12.4S, v30.4S
- cmge v17.4S, v13.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v12.4S, v16.4S, v29.4S
- mla v13.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v14.4S
- cmge v19.4S, v31.4S, v15.4S
- cmge v16.4S, v14.4S, v30.4S
- cmge v17.4S, v15.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v14.4S, v16.4S, v29.4S
- mla v15.4S, v17.4S, v29.4S
-
- sub counter, counter, #1
- cbnz counter, _intt_top_loop
-
- st1 { v0.4S}, [ src0], #16
- st1 { v1.4S}, [ src1], #16
- st1 { v2.4S}, [ src2], #16
- st1 { v3.4S}, [ src3], #16
- st1 { v4.4S}, [ src4], #16
- st1 { v5.4S}, [ src5], #16
- st1 { v6.4S}, [ src6], #16
- st1 { v7.4S}, [ src7], #16
-
- st1 { v8.4S}, [ src8], #16
- st1 { v9.4S}, [ src9], #16
- st1 {v10.4S}, [src10], #16
- st1 {v11.4S}, [src11], #16
- st1 {v12.4S}, [src12], #16
- st1 {v13.4S}, [src13], #16
- st1 {v14.4S}, [src14], #16
- st1 {v15.4S}, [src15], #16
-
- .unreq Q
- .unreq Qhalf
- .unreq nQhalf
- .unreq invNR2ph
- .unreq invNR2dp
- .unreq invNWR2ph
- .unreq invNWR2dp
- .unreq src0
- .unreq src1
- .unreq src2
- .unreq src3
- .unreq src4
- .unreq src5
- .unreq src6
- .unreq src7
- .unreq src8
- .unreq src9
- .unreq src10
- .unreq src11
- .unreq src12
- .unreq src13
- .unreq src14
- .unreq src15
- .unreq table
- .unreq counter
- pop_all
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_bot
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_bot
-PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_bot:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_bot:
-
- push_all
- Q .req w20
- RphRdp .req x21
- src0 .req x0
- des0 .req x1
- src1 .req x2
- des1 .req x3
- table0 .req x28
- table1 .req x27
- counter .req x19
-
- ldr Q, [x2]
- ldr RphRdp, [x2, #8]
-
- add table0, x1, #128
- add table1, table0, #1024
-
- add src1, src0, #512
-
- add des0, src0, #0
- add des1, src0, #512
-
- mov counter, #8
- _intt_bot_loop:
-
- ld4 { v0.4S, v1.4S, v2.4S, v3.4S}, [src0], #64
- ld4 { v16.4S, v17.4S, v18.4S, v19.4S}, [src1], #64
-
- ld1 { v4.4S, v5.4S}, [table0], #32
- ld2 { v6.4S, v7.4S}, [table0], #32
- ld4 { v8.4S, v9.4S, v10.4S, v11.4S}, [table0], #64
- ld1 { v20.4S, v21.4S}, [table1], #32
- ld2 { v22.4S, v23.4S}, [table1], #32
- ld4 { v24.4S, v25.4S, v26.4S, v27.4S}, [table1], #64
-
- mov v4.S[0], Q
- mov v20.D[0], RphRdp
-
- dq_butterfly_vec_bot v0, v2, v12, v13, v1, v3, v4, v8, v9, v10, v11
- dq_butterfly_vec_mixed_rev v0, v2, v12, v13, v1, v3, v16, v18, v28, v29, v17, v19, v4, v8, v9, v10, v11, v24, v25, v26, v27
- dq_butterfly_vec_mixed_rev v16, v18, v28, v29, v17, v19, v0, v1, v12, v13, v2, v3, v4, v24, v25, v26, v27, v6, v7, v6, v7
- dq_butterfly_vec_mixed_rev v0, v1, v12, v13, v2, v3, v16, v17, v28, v29, v18, v19, v4, v6, v7, v6, v7, v22, v23, v22, v23
- dq_butterfly_vec_top v16, v17, v28, v29, v18, v19, v4, v22, v23, v22, v23
-
- trn_4x4 v0, v1, v2, v3, v12, v13, v14, v15
- trn_4x4 v16, v17, v18, v19, v28, v29, v30, v31
-
- dq_butterfly_bot v0, v2, v12, v13, v1, v3, v4, v5, 0, 1, v5, 2, 3
- dq_butterfly_mixed_rev v0, v2, v12, v13, v1, v3, v16, v18, v28, v29, v17, v19, v4, v5, 0, 1, v5, 2, 3, v21, 0, 1, v21, 2, 3
- dq_butterfly_mixed_rev v16, v18, v28, v29, v17, v19, v0, v1, v12, v13, v2, v3, v4, v21, 0, 1, v21, 2, 3, v4, 2, 3, v4, 2, 3
- dq_butterfly_mixed_rev v0, v1, v12, v13, v2, v3, v16, v17, v28, v29, v18, v19, v4, v4, 2, 3, v4, 2, 3, v20, 2, 3, v20, 2, 3
- dq_butterfly_top v16, v17, v28, v29, v18, v19, v4, v20, 2, 3, v20, 2, 3
-
- srshr v14.4S, v0.4S, #23
- srshr v15.4S, v1.4S, #23
- srshr v30.4S, v16.4S, #23
- srshr v31.4S, v17.4S, #23
-
- mls v0.4S, v14.4S, v4.S[0]
- mls v1.4S, v15.4S, v4.S[0]
- mls v16.4S, v30.4S, v4.S[0]
- mls v17.4S, v31.4S, v4.S[0]
-
- st1 { v0.4S, v1.4S, v2.4S, v3.4S}, [des0], #64
- st1 { v16.4S, v17.4S, v18.4S, v19.4S}, [des1], #64
-
- sub counter, counter, #1
- cbnz counter, _intt_bot_loop
-
- .unreq Q
- .unreq RphRdp
- .unreq src0
- .unreq des0
- .unreq src1
- .unreq des1
- .unreq table0
- .unreq table1
- .unreq counter
- pop_all
-
- br lr
-
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-#include "params.h"
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_10_to_32
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_10_to_32
-PQCLEAN_DILITHIUM3_AARCH64__asm_10_to_32:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_10_to_32:
-
- mov x7, #16
- _10_to_32_loop:
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #10
- str w3, [x0], #4
- ubfx w4, w2, #10, #10
- str w4, [x0], #4
- ubfx w5, w2, #20, #10
- str w5, [x0], #4
- lsr w6, w2, #30
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #8
- lsl w3, w3, #2
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #8, #10
- str w4, [x0], #4
- ubfx w5, w2, #18, #10
- str w5, [x0], #4
- lsr w6, w2, #28
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #6
- lsl w3, w3, #4
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #6, #10
- str w4, [x0], #4
- ubfx w5, w2, #16, #10
- str w5, [x0], #4
- lsr w6, w2, #26
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #4
- lsl w3, w3, #6
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #4, #10
- str w4, [x0], #4
- ubfx w5, w2, #14, #10
- str w5, [x0], #4
- lsr w6, w2, #24
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #2
- lsl w3, w3, #8
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #2, #10
- str w4, [x0], #4
- ubfx w5, w2, #12, #10
- str w5, [x0], #4
- ubfx w6, w2, #22, #10
- str w6, [x0], #4
-
- sub x7, x7, #1
- cbnz x7, _10_to_32_loop
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_reduce
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_reduce
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_reduce:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_reduce:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #7
- _poly_reduce_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_reduce_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_caddq
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_caddq
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_caddq:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_caddq:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- sshr v16.4S, v0.4S, #31
- ld1 { v5.4S}, [x1], #16
- sshr v17.4S, v1.4S, #31
- ld1 { v6.4S}, [x1], #16
- sshr v18.4S, v2.4S, #31
- ld1 { v7.4S}, [x1], #16
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #7
- _poly_caddq_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- sshr v16.4S, v0.4S, #31
- ld1 { v5.4S}, [x1], #16
- sshr v17.4S, v1.4S, #31
- ld1 { v6.4S}, [x1], #16
- sshr v18.4S, v2.4S, #31
- ld1 { v7.4S}, [x1], #16
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_caddq_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_freeze
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_freeze
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_freeze:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_freeze:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- sshr v16.4S, v0.4S, #31
- mls v5.4S, v21.4S, v24.4S
- sshr v17.4S, v1.4S, #31
- mls v6.4S, v22.4S, v24.4S
- sshr v18.4S, v2.4S, #31
- mls v7.4S, v23.4S, v24.4S
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #8
- _poly_freeze_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- sshr v16.4S, v0.4S, #31
- mls v5.4S, v21.4S, v24.4S
- sshr v17.4S, v1.4S, #31
- mls v6.4S, v22.4S, v24.4S
- sshr v18.4S, v2.4S, #31
- mls v7.4S, v23.4S, v24.4S
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_freeze_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_power2round
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_power2round
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_power2round:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_power2round:
-
- mov w4, #1
-
- dup v28.4S, w4
-
- ld1 { v0.4S}, [x2], #16
- ld1 { v1.4S}, [x2], #16
- ld1 { v2.4S}, [x2], #16
- ld1 { v3.4S}, [x2], #16
-
- ld1 {v20.4S}, [x2], #16
- sub v4.4S, v0.4S, v28.4S
- ld1 {v21.4S}, [x2], #16
- sub v5.4S, v1.4S, v28.4S
- ld1 {v22.4S}, [x2], #16
- sub v6.4S, v2.4S, v28.4S
- ld1 {v23.4S}, [x2], #16
- sub v7.4S, v3.4S, v28.4S
-
- sub v24.4S, v20.4S, v28.4S
- srshr v16.4S, v4.4S, #13
- sub v25.4S, v21.4S, v28.4S
- srshr v17.4S, v5.4S, #13
- sub v26.4S, v22.4S, v28.4S
- srshr v18.4S, v6.4S, #13
- sub v27.4S, v23.4S, v28.4S
- srshr v19.4S, v7.4S, #13
-
- srshr v28.4S, v24.4S, #13
- st1 {v16.4S}, [x0], #16
- srshr v29.4S, v25.4S, #13
- st1 {v17.4S}, [x0], #16
- srshr v30.4S, v26.4S, #13
- st1 {v18.4S}, [x0], #16
- srshr v31.4S, v27.4S, #13
- st1 {v19.4S}, [x0], #16
-
- st1 {v28.4S}, [x0], #16
- shl v4.4S, v16.4S, #13
- st1 {v29.4S}, [x0], #16
- shl v5.4S, v17.4S, #13
- st1 {v30.4S}, [x0], #16
- shl v6.4S, v18.4S, #13
- st1 {v31.4S}, [x0], #16
- shl v7.4S, v19.4S, #13
-
- shl v24.4S, v28.4S, #13
- sub v16.4S, v0.4S, v4.4S
- shl v25.4S, v29.4S, #13
- sub v17.4S, v1.4S, v5.4S
- shl v26.4S, v30.4S, #13
- sub v18.4S, v2.4S, v6.4S
- shl v27.4S, v31.4S, #13
- sub v19.4S, v3.4S, v7.4S
-
- sub v28.4S, v20.4S, v24.4S
- st1 {v16.4S}, [x1], #16
- sub v29.4S, v21.4S, v25.4S
- st1 {v17.4S}, [x1], #16
- sub v30.4S, v22.4S, v26.4S
- st1 {v18.4S}, [x1], #16
- sub v31.4S, v23.4S, v27.4S
- st1 {v19.4S}, [x1], #16
-
- mov x16, #7
- _poly_power2round_loop:
-
- st1 {v28.4S}, [x1], #16
- dup v28.4S, w4
- ld1 { v0.4S}, [x2], #16
- st1 {v29.4S}, [x1], #16
- ld1 { v1.4S}, [x2], #16
- st1 {v30.4S}, [x1], #16
- ld1 { v2.4S}, [x2], #16
- st1 {v31.4S}, [x1], #16
- ld1 { v3.4S}, [x2], #16
-
- ld1 {v20.4S}, [x2], #16
- sub v4.4S, v0.4S, v28.4S
- ld1 {v21.4S}, [x2], #16
- sub v5.4S, v1.4S, v28.4S
- ld1 {v22.4S}, [x2], #16
- sub v6.4S, v2.4S, v28.4S
- ld1 {v23.4S}, [x2], #16
- sub v7.4S, v3.4S, v28.4S
-
- sub v24.4S, v20.4S, v28.4S
- srshr v16.4S, v4.4S, #13
- sub v25.4S, v21.4S, v28.4S
- srshr v17.4S, v5.4S, #13
- sub v26.4S, v22.4S, v28.4S
- srshr v18.4S, v6.4S, #13
- sub v27.4S, v23.4S, v28.4S
- srshr v19.4S, v7.4S, #13
-
- srshr v28.4S, v24.4S, #13
- st1 {v16.4S}, [x0], #16
- srshr v29.4S, v25.4S, #13
- st1 {v17.4S}, [x0], #16
- srshr v30.4S, v26.4S, #13
- st1 {v18.4S}, [x0], #16
- srshr v31.4S, v27.4S, #13
- st1 {v19.4S}, [x0], #16
-
- st1 {v28.4S}, [x0], #16
- shl v4.4S, v16.4S, #13
- st1 {v29.4S}, [x0], #16
- shl v5.4S, v17.4S, #13
- st1 {v30.4S}, [x0], #16
- shl v6.4S, v18.4S, #13
- st1 {v31.4S}, [x0], #16
- shl v7.4S, v19.4S, #13
-
- shl v24.4S, v28.4S, #13
- sub v16.4S, v0.4S, v4.4S
- shl v25.4S, v29.4S, #13
- sub v17.4S, v1.4S, v5.4S
- shl v26.4S, v30.4S, #13
- sub v18.4S, v2.4S, v6.4S
- shl v27.4S, v31.4S, #13
- sub v19.4S, v3.4S, v7.4S
-
- sub v28.4S, v20.4S, v24.4S
- st1 {v16.4S}, [x1], #16
- sub v29.4S, v21.4S, v25.4S
- st1 {v17.4S}, [x1], #16
- sub v30.4S, v22.4S, v26.4S
- st1 {v18.4S}, [x1], #16
- sub v31.4S, v23.4S, v27.4S
- st1 {v19.4S}, [x1], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_power2round_loop
-
- st1 {v28.4S}, [x1], #16
- st1 {v29.4S}, [x1], #16
- st1 {v30.4S}, [x1], #16
- st1 {v31.4S}, [x1], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_add
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_add
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_add:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_add:
-
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- add v16.4S, v0.4S, v4.4S
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- add v17.4S, v1.4S, v5.4S
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- add v18.4S, v2.4S, v6.4S
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- add v19.4S, v3.4S, v7.4S
-
- mov x16, #15
- _poly_add_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- add v16.4S, v0.4S, v4.4S
- st1 {v17.4S}, [x0], #16
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- add v17.4S, v1.4S, v5.4S
- st1 {v18.4S}, [x0], #16
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- add v18.4S, v2.4S, v6.4S
- st1 {v19.4S}, [x0], #16
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- add v19.4S, v3.4S, v7.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_add_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_sub
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_sub
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_sub:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_sub:
-
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- sub v16.4S, v0.4S, v4.4S
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- sub v17.4S, v1.4S, v5.4S
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- sub v18.4S, v2.4S, v6.4S
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- sub v19.4S, v3.4S, v7.4S
-
- mov x16, #15
- _poly_sub_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- sub v16.4S, v0.4S, v4.4S
- st1 {v17.4S}, [x0], #16
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- sub v17.4S, v1.4S, v5.4S
- st1 {v18.4S}, [x0], #16
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- sub v18.4S, v2.4S, v6.4S
- st1 {v19.4S}, [x0], #16
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- sub v19.4S, v3.4S, v7.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_sub_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_shiftl
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_shiftl
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_shiftl:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_shiftl:
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- shl v16.4S, v0.4S, #13
- ld1 { v1.4S}, [x1], #16
- shl v17.4S, v1.4S, #13
- ld1 { v2.4S}, [x1], #16
- shl v18.4S, v2.4S, #13
- ld1 { v3.4S}, [x1], #16
- shl v19.4S, v3.4S, #13
- ld1 { v4.4S}, [x1], #16
- shl v20.4S, v4.4S, #13
- ld1 { v5.4S}, [x1], #16
- shl v21.4S, v5.4S, #13
- ld1 { v6.4S}, [x1], #16
- shl v22.4S, v6.4S, #13
- ld1 { v7.4S}, [x1], #16
- shl v23.4S, v7.4S, #13
-
- mov x16, #7
- _poly_shiftl_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- shl v16.4S, v0.4S, #13
- st1 {v17.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- shl v17.4S, v1.4S, #13
- st1 {v18.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- shl v18.4S, v2.4S, #13
- st1 {v19.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
- shl v19.4S, v3.4S, #13
- st1 {v20.4S}, [x0], #16
- ld1 { v4.4S}, [x1], #16
- shl v20.4S, v4.4S, #13
- st1 {v21.4S}, [x0], #16
- ld1 { v5.4S}, [x1], #16
- shl v21.4S, v5.4S, #13
- st1 {v22.4S}, [x0], #16
- ld1 { v6.4S}, [x1], #16
- shl v22.4S, v6.4S, #13
- st1 {v23.4S}, [x0], #16
- ld1 { v7.4S}, [x1], #16
- shl v23.4S, v7.4S, #13
-
- sub x16, x16, #1
- cbnz x16, _poly_shiftl_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
- st1 {v20.4S}, [x0], #16
- st1 {v21.4S}, [x0], #16
- st1 {v22.4S}, [x0], #16
- st1 {v23.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_poly_pointwise_montgomery
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_poly_pointwise_montgomery
-PQCLEAN_DILITHIUM3_AARCH64__asm_poly_pointwise_montgomery:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_poly_pointwise_montgomery:
-
- push_all
-
- ldr w20, [x3, #0]
- ldr w21, [x3, #4]
-
- dup v30.4S, w20
- dup v31.4S, w21
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- mov x16, #15
- _poly_pointwise_montgomery_loop:
-
- st1 {v24.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 {v25.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 {v26.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 {v27.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_pointwise_montgomery_loop
-
- st1 {v24.4S}, [x0], #16
- st1 {v25.4S}, [x0], #16
- st1 {v26.4S}, [x0], #16
- st1 {v27.4S}, [x0], #16
-
- pop_all
-
- br lr
-
-
-.align 2
-.global PQCLEAN_DILITHIUM3_AARCH64__asm_polyvecl_pointwise_acc_montgomery
-.global _PQCLEAN_DILITHIUM3_AARCH64__asm_polyvecl_pointwise_acc_montgomery
-PQCLEAN_DILITHIUM3_AARCH64__asm_polyvecl_pointwise_acc_montgomery:
-_PQCLEAN_DILITHIUM3_AARCH64__asm_polyvecl_pointwise_acc_montgomery:
-
- push_all
-
- ldr w20, [x3, #0]
- ldr w21, [x3, #4]
-
- add x5, x1, #1024*1
- add x6, x2, #1024*1
-
- add x7, x1, #1024*2
- add x8, x2, #1024*2
-
- add x9, x1, #1024*3
- add x10, x2, #1024*3
-
-#if L > 4
- add x11, x1, #1024*4
- add x12, x2, #1024*4
-#endif
-
-#if L > 5
- add x13, x11, #1024*1
- add x14, x12, #1024*1
-
- add x15, x11, #1024*2
- add x19, x12, #1024*2
-#endif
-
- dup v30.4S, w20
- dup v31.4S, w21
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x5], #16
- ld1 { v4.4S}, [ x6], #16
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x5], #16
- ld1 { v5.4S}, [ x6], #16
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x5], #16
- ld1 { v6.4S}, [ x6], #16
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x5], #16
- ld1 { v7.4S}, [ x6], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x7], #16
- ld1 { v4.4S}, [ x8], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x7], #16
- ld1 { v5.4S}, [ x8], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x7], #16
- ld1 { v6.4S}, [ x8], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x7], #16
- ld1 { v7.4S}, [ x8], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x9], #16
- ld1 { v4.4S}, [x10], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x9], #16
- ld1 { v5.4S}, [x10], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x9], #16
- ld1 { v6.4S}, [x10], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x9], #16
- ld1 { v7.4S}, [x10], #16
-
-#if L > 4
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x11], #16
- ld1 { v4.4S}, [x12], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x11], #16
- ld1 { v5.4S}, [x12], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x11], #16
- ld1 { v6.4S}, [x12], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x11], #16
- ld1 { v7.4S}, [x12], #16
-#endif
-
-#if L > 5
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x13], #16
- ld1 { v4.4S}, [x14], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x13], #16
- ld1 { v5.4S}, [x14], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x13], #16
- ld1 { v6.4S}, [x14], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x13], #16
- ld1 { v7.4S}, [x14], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x15], #16
- ld1 { v4.4S}, [x19], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x15], #16
- ld1 { v5.4S}, [x19], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x15], #16
- ld1 { v6.4S}, [x19], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x15], #16
- ld1 { v7.4S}, [x19], #16
-#endif
-
- mov x16, #15
- _polyvecl_pointwise_acc_montgomery_loop:
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- ld1 { v0.4S}, [x1], #16
- uzp1 v21.4S, v13.4S, v17.4S
- ld1 { v1.4S}, [x1], #16
- uzp1 v22.4S, v14.4S, v18.4S
- ld1 { v2.4S}, [x1], #16
- uzp1 v23.4S, v15.4S, v19.4S
- ld1 { v3.4S}, [x1], #16
-
- mul v24.4S, v20.4S, v31.4S
- ld1 { v4.4S}, [x2], #16
- mul v25.4S, v21.4S, v31.4S
- ld1 { v5.4S}, [x2], #16
- mul v26.4S, v22.4S, v31.4S
- ld1 { v6.4S}, [x2], #16
- mul v27.4S, v23.4S, v31.4S
- ld1 { v7.4S}, [x2], #16
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x5], #16
- st1 {v24.4S}, [x0], #16
- ld1 { v4.4S}, [ x6], #16
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x5], #16
- st1 {v25.4S}, [x0], #16
- ld1 { v5.4S}, [ x6], #16
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x5], #16
- st1 {v26.4S}, [x0], #16
- ld1 { v6.4S}, [ x6], #16
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x5], #16
- st1 {v27.4S}, [x0], #16
- ld1 { v7.4S}, [ x6], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x7], #16
- ld1 { v4.4S}, [ x8], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x7], #16
- ld1 { v5.4S}, [ x8], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x7], #16
- ld1 { v6.4S}, [ x8], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x7], #16
- ld1 { v7.4S}, [ x8], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x9], #16
- ld1 { v4.4S}, [x10], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x9], #16
- ld1 { v5.4S}, [x10], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x9], #16
- ld1 { v6.4S}, [x10], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x9], #16
- ld1 { v7.4S}, [x10], #16
-
-#if L > 4
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x11], #16
- ld1 { v4.4S}, [x12], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x11], #16
- ld1 { v5.4S}, [x12], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x11], #16
- ld1 { v6.4S}, [x12], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x11], #16
- ld1 { v7.4S}, [x12], #16
-#endif
-
-#if L > 5
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x13], #16
- ld1 { v4.4S}, [x14], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x13], #16
- ld1 { v5.4S}, [x14], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x13], #16
- ld1 { v6.4S}, [x14], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x13], #16
- ld1 { v7.4S}, [x14], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x15], #16
- ld1 { v4.4S}, [x19], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x15], #16
- ld1 { v5.4S}, [x19], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x15], #16
- ld1 { v6.4S}, [x19], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x15], #16
- ld1 { v7.4S}, [x19], #16
-#endif
-
- sub x16, x16, #1
- cbnz x16, _polyvecl_pointwise_acc_montgomery_loop
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- st1 {v24.4S}, [x0], #16
- st1 {v25.4S}, [x0], #16
- st1 {v26.4S}, [x0], #16
- st1 {v27.4S}, [x0], #16
-
- pop_all
-
- br lr
-
-
-
-
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PQCLEAN_DILITHIUM3_AARCH64_API_H
-#define PQCLEAN_DILITHIUM3_AARCH64_API_H
-
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define PQCLEAN_DILITHIUM3_AARCH64_CRYPTO_PUBLICKEYBYTES 1952
-#define PQCLEAN_DILITHIUM3_AARCH64_CRYPTO_SECRETKEYBYTES 4000
-#define PQCLEAN_DILITHIUM3_AARCH64_CRYPTO_BYTES 3293
-#define PQCLEAN_DILITHIUM3_AARCH64_CRYPTO_ALGNAME "Dilithium3"
-
-int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_signature(
- uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_verify(
- const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign(
- uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_open(
- uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen, const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-
-/*
-MIT License
-
-Copyright (c) 2020 Bas Westerbaan
-Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-*/
-
-#if (__APPLE__ && __ARM_FEATURE_CRYPTO) || (__ARM_FEATURE_SHA3)
-
-.macro round
- ; Execute theta, but without xoring into the state yet.
- ; Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- rax1.2d v30, v29, v26 ; d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v29, v27, v29 ; d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v27, v25, v27 ; d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v25, v28, v25 ; d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v28, v26, v28 ; d[2] = rotl(p[3], 1) ^ p[1]
-
- ; Xor parities from step theta into the state at the same time
- ; as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- ; Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- ; iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global PQCLEAN_DILITHIUM3_AARCH64_f1600x2
-.global _PQCLEAN_DILITHIUM3_AARCH64_f1600x2
-PQCLEAN_DILITHIUM3_AARCH64_f1600x2:
-_PQCLEAN_DILITHIUM3_AARCH64_f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * at https://github.com/GMUCERG/PQC_NEON/blob/main/neon/kyber or
- * public domain at https://github.com/cothan/kyber/blob/master/neon
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License for this file.
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include <arm_neon.h>
-#include <stddef.h>
-#include "fips202x2.h"
-
-
-#define NROUNDS 24
-
-// Define NEON operation
-// c = load(ptr)
-#define vload(ptr) vld1q_u64(ptr);
-// ptr <= c;
-#define vstore(ptr, c) vst1q_u64(ptr, c);
-// c = a ^ b
-#define vxor(c, a, b) c = veorq_u64(a, b);
-// Rotate by n bit ((a << offset) ^ (a >> (64-offset)))
-#define vROL(out, a, offset) \
- (out) = vshlq_n_u64(a, offset); \
- (out) = vsriq_n_u64(out, a, 64 - (offset));
-// Xor chain: out = a ^ b ^ c ^ d ^ e
-#define vXOR4(out, a, b, c, d, e) \
- (out) = veorq_u64(a, b); \
- (out) = veorq_u64(out, c); \
- (out) = veorq_u64(out, d); \
- (out) = veorq_u64(out, e);
-// Not And c = ~a & b
-// #define vbic(c, a, b) c = vbicq_u64(b, a);
-// Xor Not And: out = a ^ ( (~b) & c)
-#define vXNA(out, a, b, c) \
- (out) = vbicq_u64(c, b); \
- (out) = veorq_u64(out, a);
-// Rotate by 1 bit, then XOR: a ^ ROL(b): SHA1 instruction, not support
-#define vrxor(c, a, b) c = vrax1q_u64(a, b);
-// End Define
-
-/* Keccak round constants */
-static const uint64_t neon_KeccakF_RoundConstants[NROUNDS] = {
- (uint64_t)0x0000000000000001ULL,
- (uint64_t)0x0000000000008082ULL,
- (uint64_t)0x800000000000808aULL,
- (uint64_t)0x8000000080008000ULL,
- (uint64_t)0x000000000000808bULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008009ULL,
- (uint64_t)0x000000000000008aULL,
- (uint64_t)0x0000000000000088ULL,
- (uint64_t)0x0000000080008009ULL,
- (uint64_t)0x000000008000000aULL,
- (uint64_t)0x000000008000808bULL,
- (uint64_t)0x800000000000008bULL,
- (uint64_t)0x8000000000008089ULL,
- (uint64_t)0x8000000000008003ULL,
- (uint64_t)0x8000000000008002ULL,
- (uint64_t)0x8000000000000080ULL,
- (uint64_t)0x000000000000800aULL,
- (uint64_t)0x800000008000000aULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008080ULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008008ULL
-};
-
-/*************************************************
-* Name: KeccakF1600_StatePermutex2
-*
-* Description: The Keccak F1600 Permutation
-*
-* Arguments: - uint64_t *state: pointer to input/output Keccak state
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64_f1600x2(v128*, const uint64_t*);
-static inline
-void KeccakF1600_StatePermutex2(v128 state[25])
-{
-#if (__APPLE__ && __ARM_FEATURE_CRYPTO) || (__ARM_FEATURE_SHA3) /* although not sure what is being implemented, we find something fast */
- PQCLEAN_DILITHIUM3_AARCH64_f1600x2(state, neon_KeccakF_RoundConstants);
-#else
- v128 Aba, Abe, Abi, Abo, Abu;
- v128 Aga, Age, Agi, Ago, Agu;
- v128 Aka, Ake, Aki, Ako, Aku;
- v128 Ama, Ame, Ami, Amo, Amu;
- v128 Asa, Ase, Asi, Aso, Asu;
- v128 BCa, BCe, BCi, BCo, BCu; // tmp
- v128 Da, De, Di, Do, Du; // D
- v128 Eba, Ebe, Ebi, Ebo, Ebu;
- v128 Ega, Ege, Egi, Ego, Egu;
- v128 Eka, Eke, Eki, Eko, Eku;
- v128 Ema, Eme, Emi, Emo, Emu;
- v128 Esa, Ese, Esi, Eso, Esu;
-
- //copyFromState(A, state)
- Aba = state[0];
- Abe = state[1];
- Abi = state[2];
- Abo = state[3];
- Abu = state[4];
- Aga = state[5];
- Age = state[6];
- Agi = state[7];
- Ago = state[8];
- Agu = state[9];
- Aka = state[10];
- Ake = state[11];
- Aki = state[12];
- Ako = state[13];
- Aku = state[14];
- Ama = state[15];
- Ame = state[16];
- Ami = state[17];
- Amo = state[18];
- Amu = state[19];
- Asa = state[20];
- Ase = state[21];
- Asi = state[22];
- Aso = state[23];
- Asu = state[24];
-
- for (int round = 0; round < NROUNDS; round += 2)
- {
- // prepareTheta
- vXOR4(BCa, Aba, Aga, Aka, Ama, Asa);
- vXOR4(BCe, Abe, Age, Ake, Ame, Ase);
- vXOR4(BCi, Abi, Agi, Aki, Ami, Asi);
- vXOR4(BCo, Abo, Ago, Ako, Amo, Aso);
- vXOR4(BCu, Abu, Agu, Aku, Amu, Asu);
-
- //thetaRhoPiChiIotaPrepareTheta(round , A, E)
- vROL(Da, BCe, 1);
- vxor(Da, BCu, Da);
- vROL(De, BCi, 1);
- vxor(De, BCa, De);
- vROL(Di, BCo, 1);
- vxor(Di, BCe, Di);
- vROL(Do, BCu, 1);
- vxor(Do, BCi, Do);
- vROL(Du, BCa, 1);
- vxor(Du, BCo, Du);
-
- vxor(Aba, Aba, Da);
- vxor(Age, Age, De);
- vROL(BCe, Age, 44);
- vxor(Aki, Aki, Di);
- vROL(BCi, Aki, 43);
- vxor(Amo, Amo, Do);
- vROL(BCo, Amo, 21);
- vxor(Asu, Asu, Du);
- vROL(BCu, Asu, 14);
- vXNA(Eba, Aba, BCe, BCi);
- vxor(Eba, Eba, vdupq_n_u64(neon_KeccakF_RoundConstants[round]));
- vXNA(Ebe, BCe, BCi, BCo);
- vXNA(Ebi, BCi, BCo, BCu);
- vXNA(Ebo, BCo, BCu, Aba);
- vXNA(Ebu, BCu, Aba, BCe);
-
- vxor(Abo, Abo, Do);
- vROL(BCa, Abo, 28);
- vxor(Agu, Agu, Du);
- vROL(BCe, Agu, 20);
- vxor(Aka, Aka, Da);
- vROL(BCi, Aka, 3);
- vxor(Ame, Ame, De);
- vROL(BCo, Ame, 45);
- vxor(Asi, Asi, Di);
- vROL(BCu, Asi, 61);
- vXNA(Ega, BCa, BCe, BCi);
- vXNA(Ege, BCe, BCi, BCo);
- vXNA(Egi, BCi, BCo, BCu);
- vXNA(Ego, BCo, BCu, BCa);
- vXNA(Egu, BCu, BCa, BCe);
-
- vxor(Abe, Abe, De);
- vROL(BCa, Abe, 1);
- vxor(Agi, Agi, Di);
- vROL(BCe, Agi, 6);
- vxor(Ako, Ako, Do);
- vROL(BCi, Ako, 25);
- vxor(Amu, Amu, Du);
- vROL(BCo, Amu, 8);
- vxor(Asa, Asa, Da);
- vROL(BCu, Asa, 18);
- vXNA(Eka, BCa, BCe, BCi);
- vXNA(Eke, BCe, BCi, BCo);
- vXNA(Eki, BCi, BCo, BCu);
- vXNA(Eko, BCo, BCu, BCa);
- vXNA(Eku, BCu, BCa, BCe);
-
- vxor(Abu, Abu, Du);
- vROL(BCa, Abu, 27);
- vxor(Aga, Aga, Da);
- vROL(BCe, Aga, 36);
- vxor(Ake, Ake, De);
- vROL(BCi, Ake, 10);
- vxor(Ami, Ami, Di);
- vROL(BCo, Ami, 15);
- vxor(Aso, Aso, Do);
- vROL(BCu, Aso, 56);
- vXNA(Ema, BCa, BCe, BCi);
- vXNA(Eme, BCe, BCi, BCo);
- vXNA(Emi, BCi, BCo, BCu);
- vXNA(Emo, BCo, BCu, BCa);
- vXNA(Emu, BCu, BCa, BCe);
-
- vxor(Abi, Abi, Di);
- vROL(BCa, Abi, 62);
- vxor(Ago, Ago, Do);
- vROL(BCe, Ago, 55);
- vxor(Aku, Aku, Du);
- vROL(BCi, Aku, 39);
- vxor(Ama, Ama, Da);
- vROL(BCo, Ama, 41);
- vxor(Ase, Ase, De);
- vROL(BCu, Ase, 2);
- vXNA(Esa, BCa, BCe, BCi);
- vXNA(Ese, BCe, BCi, BCo);
- vXNA(Esi, BCi, BCo, BCu);
- vXNA(Eso, BCo, BCu, BCa);
- vXNA(Esu, BCu, BCa, BCe);
-
- // Next Round
-
- // prepareTheta
- vXOR4(BCa, Eba, Ega, Eka, Ema, Esa);
- vXOR4(BCe, Ebe, Ege, Eke, Eme, Ese);
- vXOR4(BCi, Ebi, Egi, Eki, Emi, Esi);
- vXOR4(BCo, Ebo, Ego, Eko, Emo, Eso);
- vXOR4(BCu, Ebu, Egu, Eku, Emu, Esu);
-
- //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
- vROL(Da, BCe, 1);
- vxor(Da, BCu, Da);
- vROL(De, BCi, 1);
- vxor(De, BCa, De);
- vROL(Di, BCo, 1);
- vxor(Di, BCe, Di);
- vROL(Do, BCu, 1);
- vxor(Do, BCi, Do);
- vROL(Du, BCa, 1);
- vxor(Du, BCo, Du);
-
- vxor(Eba, Eba, Da);
- vxor(Ege, Ege, De);
- vROL(BCe, Ege, 44);
- vxor(Eki, Eki, Di);
- vROL(BCi, Eki, 43);
- vxor(Emo, Emo, Do);
- vROL(BCo, Emo, 21);
- vxor(Esu, Esu, Du);
- vROL(BCu, Esu, 14);
- vXNA(Aba, Eba, BCe, BCi);
- vxor(Aba, Aba, vdupq_n_u64(neon_KeccakF_RoundConstants[round + 1]));
- vXNA(Abe, BCe, BCi, BCo);
- vXNA(Abi, BCi, BCo, BCu);
- vXNA(Abo, BCo, BCu, Eba);
- vXNA(Abu, BCu, Eba, BCe);
-
- vxor(Ebo, Ebo, Do);
- vROL(BCa, Ebo, 28);
- vxor(Egu, Egu, Du);
- vROL(BCe, Egu, 20);
- vxor(Eka, Eka, Da);
- vROL(BCi, Eka, 3);
- vxor(Eme, Eme, De);
- vROL(BCo, Eme, 45);
- vxor(Esi, Esi, Di);
- vROL(BCu, Esi, 61);
- vXNA(Aga, BCa, BCe, BCi);
- vXNA(Age, BCe, BCi, BCo);
- vXNA(Agi, BCi, BCo, BCu);
- vXNA(Ago, BCo, BCu, BCa);
- vXNA(Agu, BCu, BCa, BCe);
-
- vxor(Ebe, Ebe, De);
- vROL(BCa, Ebe, 1);
- vxor(Egi, Egi, Di);
- vROL(BCe, Egi, 6);
- vxor(Eko, Eko, Do);
- vROL(BCi, Eko, 25);
- vxor(Emu, Emu, Du);
- vROL(BCo, Emu, 8);
- vxor(Esa, Esa, Da);
- vROL(BCu, Esa, 18);
- vXNA(Aka, BCa, BCe, BCi);
- vXNA(Ake, BCe, BCi, BCo);
- vXNA(Aki, BCi, BCo, BCu);
- vXNA(Ako, BCo, BCu, BCa);
- vXNA(Aku, BCu, BCa, BCe);
-
- vxor(Ebu, Ebu, Du);
- vROL(BCa, Ebu, 27);
- vxor(Ega, Ega, Da);
- vROL(BCe, Ega, 36);
- vxor(Eke, Eke, De);
- vROL(BCi, Eke, 10);
- vxor(Emi, Emi, Di);
- vROL(BCo, Emi, 15);
- vxor(Eso, Eso, Do);
- vROL(BCu, Eso, 56);
- vXNA(Ama, BCa, BCe, BCi);
- vXNA(Ame, BCe, BCi, BCo);
- vXNA(Ami, BCi, BCo, BCu);
- vXNA(Amo, BCo, BCu, BCa);
- vXNA(Amu, BCu, BCa, BCe);
-
- vxor(Ebi, Ebi, Di);
- vROL(BCa, Ebi, 62);
- vxor(Ego, Ego, Do);
- vROL(BCe, Ego, 55);
- vxor(Eku, Eku, Du);
- vROL(BCi, Eku, 39);
- vxor(Ema, Ema, Da);
- vROL(BCo, Ema, 41);
- vxor(Ese, Ese, De);
- vROL(BCu, Ese, 2);
- vXNA(Asa, BCa, BCe, BCi);
- vXNA(Ase, BCe, BCi, BCo);
- vXNA(Asi, BCi, BCo, BCu);
- vXNA(Aso, BCo, BCu, BCa);
- vXNA(Asu, BCu, BCa, BCe);
- }
-
- state[0] = Aba;
- state[1] = Abe;
- state[2] = Abi;
- state[3] = Abo;
- state[4] = Abu;
- state[5] = Aga;
- state[6] = Age;
- state[7] = Agi;
- state[8] = Ago;
- state[9] = Agu;
- state[10] = Aka;
- state[11] = Ake;
- state[12] = Aki;
- state[13] = Ako;
- state[14] = Aku;
- state[15] = Ama;
- state[16] = Ame;
- state[17] = Ami;
- state[18] = Amo;
- state[19] = Amu;
- state[20] = Asa;
- state[21] = Ase;
- state[22] = Asi;
- state[23] = Aso;
- state[24] = Asu;
-#endif
-}
-
-/*************************************************
-* Name: keccakx2_absorb
-*
-* Description: Absorb step of Keccak;
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
-* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
-* - const uint8_t *m: pointer to input to be absorbed into s
-* - size_t mlen: length of input in bytes
-* - uint8_t p: domain-separation byte for different
-* Keccak-derived functions
-**************************************************/
-static
-void keccakx2_absorb(v128 s[25],
- unsigned int r,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen,
- uint8_t p) {
- size_t i, pos = 0;
-
- // Declare SIMD registers
- v128 tmp, mask;
- uint64x1_t a, b;
- uint64x2_t a1, b1, atmp1, btmp1;
- uint64x2x2_t a2, b2, atmp2, btmp2;
- // End
-
- for (i = 0; i < 25; ++i) {
- s[i] = vdupq_n_u64(0);
- }
-
- // Load in0[i] to register, then in1[i] to register, exchange them
- while (inlen >= r) {
- for (i = 0; i < r / 8 - 1; i += 4) {
- a2 = vld1q_u64_x2((uint64_t *)&in0[pos]);
- b2 = vld1q_u64_x2((uint64_t *)&in1[pos]);
- // BD = zip1(AB and CD)
- atmp2.val[0] = vzip1q_u64(a2.val[0], b2.val[0]);
- atmp2.val[1] = vzip1q_u64(a2.val[1], b2.val[1]);
- // AC = zip2(AB and CD)
- btmp2.val[0] = vzip2q_u64(a2.val[0], b2.val[0]);
- btmp2.val[1] = vzip2q_u64(a2.val[1], b2.val[1]);
-
- vxor(s[i + 0], s[i + 0], atmp2.val[0]);
- vxor(s[i + 1], s[i + 1], btmp2.val[0]);
- vxor(s[i + 2], s[i + 2], atmp2.val[1]);
- vxor(s[i + 3], s[i + 3], btmp2.val[1]);
-
- pos += 8 * 2 * 2;
- }
- // Last iteration
- i = r / 8 - 1;
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- vxor(s[i], s[i], tmp);
- pos += 8;
-
- KeccakF1600_StatePermutex2(s);
- inlen -= r;
- }
-
- i = 0;
- while (inlen >= 16) {
- a1 = vld1q_u64((uint64_t *)&in0[pos]);
- b1 = vld1q_u64((uint64_t *)&in1[pos]);
- // BD = zip1(AB and CD)
- atmp1 = vzip1q_u64(a1, b1);
- // AC = zip2(AB and CD)
- btmp1 = vzip2q_u64(a1, b1);
-
- vxor(s[i + 0], s[i + 0], atmp1);
- vxor(s[i + 1], s[i + 1], btmp1);
-
- i += 2;
- pos += 8 * 2;
- inlen -= 8 * 2;
- }
-
- if (inlen >= 8) {
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- vxor(s[i], s[i], tmp);
-
- i++;
- pos += 8;
- inlen -= 8;
- }
-
- if (inlen) {
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- mask = vdupq_n_u64((1ULL << (8 * inlen)) - 1);
- tmp = vandq_u64(tmp, mask);
- vxor(s[i], s[i], tmp);
- }
-
- tmp = vdupq_n_u64((uint64_t)p << (8 * inlen));
- vxor(s[i], s[i], tmp);
-
- mask = vdupq_n_u64(1ULL << 63);
- vxor(s[r / 8 - 1], s[r / 8 - 1], mask);
-}
-
-/*************************************************
-* Name: keccak_squeezeblocks
-*
-* Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each.
-* Modifies the state. Can be called multiple times to keep
-* squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed (written to h)
-* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
-* - uint64_t *s: pointer to input/output Keccak state
-**************************************************/
-static
-void keccakx2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- unsigned int r,
- v128 s[25]){
- unsigned int i;
-
- uint64x1_t a, b;
- uint64x2x2_t a2, b2;
-
- while (nblocks > 0)
- {
- KeccakF1600_StatePermutex2(s);
-
- for (i = 0; i < r / 8 - 1; i += 4)
- {
- a2.val[0] = vuzp1q_u64(s[i], s[i + 1]);
- b2.val[0] = vuzp2q_u64(s[i], s[i + 1]);
- a2.val[1] = vuzp1q_u64(s[i + 2], s[i + 3]);
- b2.val[1] = vuzp2q_u64(s[i + 2], s[i + 3]);
- vst1q_u64_x2((uint64_t *)out0, a2);
- vst1q_u64_x2((uint64_t *)out1, b2);
-
- out0 += 32;
- out1 += 32;
- }
-
- i = r / 8 - 1;
- // Last iteration
- a = vget_low_u64(s[i]);
- b = vget_high_u64(s[i]);
- vst1_u64((uint64_t *)out0, a);
- vst1_u64((uint64_t *)out1, b);
-
- out0 += 8;
- out1 += 8;
-
- --nblocks;
- }
-}
-
-/*************************************************
-* Name: shake128x2_absorb
-*
-* Description: Absorb step of the SHAKE128 XOF.
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - keccakx2_state *state: pointer to (uninitialized) output
-* Keccak state
-* - const uint8_t *in: pointer to input to be absorbed into s
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake128x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- keccakx2_absorb(state->s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-}
-
-/*************************************************
-* Name: shake128_squeezeblocks
-*
-* Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
-* SHAKE128_RATE bytes each. Modifies the state. Can be called
-* multiple times to keep squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed
-* (written to output)
-* - keccakx2_state *s: pointer to input/output Keccak state
-**************************************************/
-void shake128x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state) {
- keccakx2_squeezeblocks(out0, out1, nblocks, SHAKE128_RATE, state->s);
-}
-
-/*************************************************
-* Name: shake256_absorb
-*
-* Description: Absorb step of the SHAKE256 XOF.
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - keccakx2_state *s: pointer to (uninitialized) output Keccak state
-* - const uint8_t *in: pointer to input to be absorbed into s
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake256x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- keccakx2_absorb(state->s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-}
-
-/*************************************************
-* Name: shake256_squeezeblocks
-*
-* Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of
-* SHAKE256_RATE bytes each. Modifies the state. Can be called
-* multiple times to keep squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed
-* (written to output)
-* - keccakx2_state *s: pointer to input/output Keccak state
-**************************************************/
-void shake256x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state) {
- keccakx2_squeezeblocks(out0, out1, nblocks, SHAKE256_RATE, state->s);
-}
-
-/*************************************************
-* Name: shake128
-*
-* Description: SHAKE128 XOF with non-incremental API
-*
-* Arguments: - uint8_t *out: pointer to output
-* - size_t outlen: requested output length in bytes
-* - const uint8_t *in: pointer to input
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake128x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- unsigned int i;
- size_t nblocks = outlen / SHAKE128_RATE;
- uint8_t t[2][SHAKE128_RATE];
- keccakx2_state state;
-
- shake128x2_absorb(&state, in0, in1, inlen);
- shake128x2_squeezeblocks(out0, out1, nblocks, &state);
-
- out0 += nblocks * SHAKE128_RATE;
- out1 += nblocks * SHAKE128_RATE;
- outlen -= nblocks * SHAKE128_RATE;
-
- if (outlen) {
- shake128x2_squeezeblocks(t[0], t[1], 1, &state);
- for (i = 0; i < outlen; ++i) {
- out0[i] = t[0][i];
- out1[i] = t[1][i];
- }
- }
-}
-
-/*************************************************
-* Name: shake256
-*
-* Description: SHAKE256 XOF with non-incremental API
-*
-* Arguments: - uint8_t *out: pointer to output
-* - size_t outlen: requested output length in bytes
-* - const uint8_t *in: pointer to input
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake256x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- unsigned int i;
- size_t nblocks = outlen / SHAKE256_RATE;
- uint8_t t[2][SHAKE256_RATE];
- keccakx2_state state;
-
- shake256x2_absorb(&state, in0, in1, inlen);
- shake256x2_squeezeblocks(out0, out1, nblocks, &state);
-
- out0 += nblocks * SHAKE256_RATE;
- out1 += nblocks * SHAKE256_RATE;
- outlen -= nblocks * SHAKE256_RATE;
-
- if (outlen) {
- shake256x2_squeezeblocks(t[0], t[1], 1, &state);
- for (i = 0; i < outlen; ++i) {
- out0[i] = t[0][i];
- out1[i] = t[1][i];
- }
- }
-}
+++ /dev/null
-
-/*
- * This file is licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * at https://github.com/GMUCERG/PQC_NEON/blob/main/neon/kyber or
- * public domain at https://github.com/cothan/kyber/blob/master/neon
- */
-
-#ifndef FIPS202X2_H
-#define FIPS202X2_H
-
-#include "params.h"
-#include <arm_neon.h>
-#include <stddef.h>
-
-#include <fips202.h>
-
-typedef uint64x2_t v128;
-
-typedef struct {
- v128 s[25];
-} keccakx2_state;
-
-
-#define shake128x2_absorb DILITHIUM_NAMESPACE(shake128x2_absorb)
-void shake128x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake128x2_squeezeblocks DILITHIUM_NAMESPACE(shake128x2_squeezeblocks)
-void shake128x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state);
-
-#define shake256x2_absorb DILITHIUM_NAMESPACE(shake256x2_absorb)
-void shake256x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake256x2_squeezeblocks DILITHIUM_NAMESPACE(shake256x2_squeezeblocks)
-void shake256x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state);
-
-#define shake128x2 DILITHIUM_NAMESPACE(shake128x2)
-void shake128x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake256x2 DILITHIUM_NAMESPACE(shake256x2)
-void shake256x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-#endif
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros_common.inc"
-
-.macro wrap_trn_4x4 a0, a1, a2, a3, t0, t1, t2, t3, qS, dD
-
- trn1 \t0\qS, \a0\qS, \a1\qS
- trn2 \t1\qS, \a0\qS, \a1\qS
- trn1 \t2\qS, \a2\qS, \a3\qS
- trn2 \t3\qS, \a2\qS, \a3\qS
-
- trn1 \a0\dD, \t0\dD, \t2\dD
- trn2 \a2\dD, \t0\dD, \t2\dD
- trn1 \a1\dD, \t1\dD, \t3\dD
- trn2 \a3\dD, \t1\dD, \t3\dD
-
-.endm
-
-.macro trn_4x4 a0, a1, a2, a3, t0, t1, t2, t3
- wrap_trn_4x4 \a0, \a1, \a2, \a3, \t0, \t1, \t2, \t3, .4S, .2D
-.endm
-
-
-.macro dq_butterfly_vec_bot a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1
- wrap_dX_butterfly_vec_bot \a0, \a1, \b0, \b1, \t0, \t1, \mod, \l0, \h0, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_top a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1
- wrap_dX_butterfly_vec_top \a0, \a1, \b0, \b1, \t0, \t1, \mod, \l0, \h0, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3
- wrap_dX_butterfly_vec_mixed \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \l0, \h0, \l1, \h1, \l2, \h2, \l3, \h3, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3
- wrap_dX_butterfly_vec_mixed_rev \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \l0, \h0, \l1, \h1, \l2, \h2, \l3, \h3, .4S, .S
-.endm
-
-
-.macro dq_butterfly_top a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1
- wrap_dX_butterfly_top \a0, \a1, \b0, \b1, \t0, \t1, \mod, \z0, \l0, \h0, \z1, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_bot a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1
- wrap_dX_butterfly_bot \a0, \a1, \b0, \b1, \t0, \t1, \mod, \z0, \l0, \h0, \z1, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_dX_butterfly_mixed \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro dq_butterfly_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_dX_butterfly_mixed_rev \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-
-.macro qq_montgomery_mul b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_montgomery_mul \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-
-.macro qq_butterfly_top a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_butterfly_top \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro qq_butterfly_bot a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_butterfly_bot \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro qq_butterfly_mixed a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7
- wrap_qX_butterfly_mixed \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \a4, \a5, \a6, \a7, \b4, \b5, \b6, \b7, \t4, \t5, \t6, \t7, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, \z4, \l4, \h4, \z5, \l5, \h5, \z6, \l6, \h6, \z7, \l7, \h7, .4S, .S
-.endm
-
-.macro qq_butterfly_mixed_rev a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7
- wrap_qX_butterfly_mixed_rev \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \a4, \a5, \a6, \a7, \b4, \b5, \b6, \b7, \t4, \t5, \t6, \t7, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, \z4, \l4, \h4, \z5, \l5, \h5, \z6, \l6, \h6, \z7, \l7, \h7, .4S, .S
-.endm
-
-
-.macro qq_montgomery c0, c1, c2, c3, l0, l1, l2, l3, h0, h1, h2, h3, t0, t1, t2, t3, Qprime, Q
- wrap_qX_montgomery \c0, \c1, \c2, \c3, \l0, \l1, \l2, \l3, \h0, \h1, \h2, \h3, \t0, \t1, \t2, \t3, \Qprime, \Q, .2S, .4S, .2D
-.endm
-
-.macro qq_sub_add s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3
- wrap_qX_sub_add \s0, \s1, \s2, \s3, \t0, \t1, \t2, \t3, \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, .4S
-.endm
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-// for ABI
-
-.macro push_all
-
- sub sp, sp, #(16*9)
- stp x19, x20, [sp, #16*0]
- stp x21, x22, [sp, #16*1]
- stp x23, x24, [sp, #16*2]
- stp x25, x26, [sp, #16*3]
- stp x27, x28, [sp, #16*4]
- stp d8, d9, [sp, #16*5]
- stp d10, d11, [sp, #16*6]
- stp d12, d13, [sp, #16*7]
- stp d14, d15, [sp, #16*8]
-
-.endm
-
-.macro pop_all
-
- ldp x19, x20, [sp, #16*0]
- ldp x21, x22, [sp, #16*1]
- ldp x23, x24, [sp, #16*2]
- ldp x25, x26, [sp, #16*3]
- ldp x27, x28, [sp, #16*4]
- ldp d8, d9, [sp, #16*5]
- ldp d10, d11, [sp, #16*6]
- ldp d12, d13, [sp, #16*7]
- ldp d14, d15, [sp, #16*8]
- add sp, sp, #(16*9)
-
-.endm
-
-// vector-scalar butterflies
-
-.macro wrap_dX_butterfly_top a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_bot a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
-
-.endm
-
-.macro wrap_dX_butterfly_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
-
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- sub \b3\wX, \a3\wX, \t3\wX
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- add \a3\wX, \a3\wX, \t3\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_top a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_bot a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
- sub \b2\wX, \a2\wX, \t2\wX
- sub \b3\wX, \a3\wX, \t3\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
- add \a2\wX, \a2\wX, \t2\wX
- add \a3\wX, \a3\wX, \t3\wX
-
-.endm
-
-.macro wrap_qX_butterfly_mixed a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t4\wX, \b4\wX, \z4\nX[\h4]
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t5\wX, \b5\wX, \z5\nX[\h5]
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t6\wX, \b6\wX, \z6\nX[\h6]
- sub \b3\wX, \a3\wX, \t3\wX
- mul \t7\wX, \b7\wX, \z7\nX[\h7]
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b4\wX, \b4\wX, \z4\nX[\l4]
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b5\wX, \b5\wX, \z5\nX[\l5]
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b6\wX, \b6\wX, \z6\nX[\l6]
- add \a3\wX, \a3\wX, \t3\wX
- sqrdmulh \b7\wX, \b7\wX, \z7\nX[\l7]
-
- mls \t4\wX, \b4\wX, \mod\nX[0]
- mls \t5\wX, \b5\wX, \mod\nX[0]
- mls \t6\wX, \b6\wX, \mod\nX[0]
- mls \t7\wX, \b7\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_mixed_rev a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- sub \b4\wX, \a4\wX, \t4\wX
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- sub \b5\wX, \a5\wX, \t5\wX
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- sub \b6\wX, \a6\wX, \t6\wX
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
- sub \b7\wX, \a7\wX, \t7\wX
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- add \a4\wX, \a4\wX, \t4\wX
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- add \a5\wX, \a5\wX, \t5\wX
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- add \a6\wX, \a6\wX, \t6\wX
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
- add \a7\wX, \a7\wX, \t7\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-// vector-vector butterflies
-
-.macro wrap_dX_butterfly_vec_top a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1, wX, nX
-
- mul \t0\wX, \b0\wX, \h0\wX
- mul \t1\wX, \b1\wX, \h1\wX
-
- sqrdmulh \b0\wX, \b0\wX, \l0\wX
- sqrdmulh \b1\wX, \b1\wX, \l1\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_vec_bot a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
-
-.endm
-
-.macro wrap_dX_butterfly_vec_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t2\wX, \b2\wX, \h2\wX
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t3\wX, \b3\wX, \h3\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b2\wX, \b2\wX, \l2\wX
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b3\wX, \b3\wX, \l3\wX
-
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_vec_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \h0\wX
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t1\wX, \b1\wX, \h1\wX
- sub \b3\wX, \a3\wX, \t3\wX
-
- sqrdmulh \b0\wX, \b0\wX, \l0\wX
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b1\wX, \b1\wX, \l1\wX
- add \a3\wX, \a3\wX, \t3\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-// vector-scalar Barrett reduction
-
-.macro wrap_qX_barrett a0, a1, a2, a3, t0, t1, t2, t3, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\nX[0]
- sqdmulh \t1\wX, \a1\wX, \barrett_const\nX[0]
-
- sqdmulh \t2\wX, \a2\wX, \barrett_const\nX[0]
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t3\wX, \a3\wX, \barrett_const\nX[0]
- srshr \t1\wX, \t1\wX, \shrv
-
- srshr \t2\wX, \t2\wX, \shrv
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t3\wX, \t3\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
-
- mls \a2\wX, \t2\wX, \Q\wX
- mls \a3\wX, \t3\wX, \Q\wX
-
-.endm
-
-.macro wrap_oX_barrett a0, a1, a2, a3, t0, t1, t2, t3, a4, a5, a6, a7, t4, t5, t6, t7, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\nX[0]
- sqdmulh \t1\wX, \a1\wX, \barrett_const\nX[0]
- sqdmulh \t2\wX, \a2\wX, \barrett_const\nX[0]
- sqdmulh \t3\wX, \a3\wX, \barrett_const\nX[0]
-
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t4\wX, \a4\wX, \barrett_const\nX[0]
- srshr \t1\wX, \t1\wX, \shrv
- sqdmulh \t5\wX, \a5\wX, \barrett_const\nX[0]
- srshr \t2\wX, \t2\wX, \shrv
- sqdmulh \t6\wX, \a6\wX, \barrett_const\nX[0]
- srshr \t3\wX, \t3\wX, \shrv
- sqdmulh \t7\wX, \a7\wX, \barrett_const\nX[0]
-
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t4\wX, \t4\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
- srshr \t5\wX, \t5\wX, \shrv
- mls \a2\wX, \t2\wX, \Q\wX
- srshr \t6\wX, \t6\wX, \shrv
- mls \a3\wX, \t3\wX, \Q\wX
- srshr \t7\wX, \t7\wX, \shrv
-
- mls \a4\wX, \t4\wX, \Q\wX
- mls \a5\wX, \t5\wX, \Q\wX
- mls \a6\wX, \t6\wX, \Q\wX
- mls \a7\wX, \t7\wX, \Q\wX
-
-.endm
-
-// vector-vector Barrett reduction
-
-.macro wrap_qo_barrett_vec a0, a1, a2, a3, t0, t1, t2, t3, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\wX
- sqdmulh \t1\wX, \a1\wX, \barrett_const\wX
-
- sqdmulh \t2\wX, \a2\wX, \barrett_const\wX
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t3\wX, \a3\wX, \barrett_const\wX
- srshr \t1\wX, \t1\wX, \shrv
-
- srshr \t2\wX, \t2\wX, \shrv
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t3\wX, \t3\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
-
- mls \a2\wX, \t2\wX, \Q\wX
- mls \a3\wX, \t3\wX, \Q\wX
-
-.endm
-
-.macro wrap_oo_barrett_vec a0, a1, a2, a3, t0, t1, t2, t3, a4, a5, a6, a7, t4, t5, t6, t7, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\wX
- sqdmulh \t1\wX, \a1\wX, \barrett_const\wX
- sqdmulh \t2\wX, \a2\wX, \barrett_const\wX
- sqdmulh \t3\wX, \a3\wX, \barrett_const\wX
-
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t4\wX, \a4\wX, \barrett_const\wX
- srshr \t1\wX, \t1\wX, \shrv
- sqdmulh \t5\wX, \a5\wX, \barrett_const\wX
- srshr \t2\wX, \t2\wX, \shrv
- sqdmulh \t6\wX, \a6\wX, \barrett_const\wX
- srshr \t3\wX, \t3\wX, \shrv
- sqdmulh \t7\wX, \a7\wX, \barrett_const\wX
-
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t4\wX, \t4\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
- srshr \t5\wX, \t5\wX, \shrv
- mls \a2\wX, \t2\wX, \Q\wX
- srshr \t6\wX, \t6\wX, \shrv
- mls \a3\wX, \t3\wX, \Q\wX
- srshr \t7\wX, \t7\wX, \shrv
-
- mls \a4\wX, \t4\wX, \Q\wX
- mls \a5\wX, \t5\wX, \Q\wX
- mls \a6\wX, \t6\wX, \Q\wX
- mls \a7\wX, \t7\wX, \Q\wX
-
-.endm
-
-// Montgomery multiplication
-
-.macro wrap_qX_montgomery_mul b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \b0\wX, \t0\wX, \z0\nX[\h0]
- mul \b1\wX, \t1\wX, \z1\nX[\h1]
- mul \b2\wX, \t2\wX, \z2\nX[\h2]
- mul \b3\wX, \t3\wX, \z3\nX[\h3]
-
- sqrdmulh \t0\wX, \t0\wX, \z0\nX[\l0]
- sqrdmulh \t1\wX, \t1\wX, \z1\nX[\l1]
- sqrdmulh \t2\wX, \t2\wX, \z2\nX[\l2]
- sqrdmulh \t3\wX, \t3\wX, \z3\nX[\l3]
-
- mls \b0\wX, \t0\wX, \mod\nX[0]
- mls \b1\wX, \t1\wX, \mod\nX[0]
- mls \b2\wX, \t2\wX, \mod\nX[0]
- mls \b3\wX, \t3\wX, \mod\nX[0]
-
-.endm
-
-// Montgomery reduction with long
-
-.macro wrap_qX_montgomery c0, c1, c2, c3, l0, l1, l2, l3, h0, h1, h2, h3, t0, t1, t2, t3, Qprime, Q, lX, wX, dwX
-
- uzp1 \t0\wX, \l0\wX, \h0\wX
- uzp1 \t1\wX, \l1\wX, \h1\wX
- uzp1 \t2\wX, \l2\wX, \h2\wX
- uzp1 \t3\wX, \l3\wX, \h3\wX
-
- mul \t0\wX, \t0\wX, \Qprime\wX
- mul \t1\wX, \t1\wX, \Qprime\wX
- mul \t2\wX, \t2\wX, \Qprime\wX
- mul \t3\wX, \t3\wX, \Qprime\wX
-
- smlal \l0\dwX, \t0\lX, \Q\lX
- smlal2 \h0\dwX, \t0\wX, \Q\wX
- smlal \l1\dwX, \t1\lX, \Q\lX
- smlal2 \h1\dwX, \t1\wX, \Q\wX
- smlal \l2\dwX, \t2\lX, \Q\lX
- smlal2 \h2\dwX, \t2\wX, \Q\wX
- smlal \l3\dwX, \t3\lX, \Q\lX
- smlal2 \h3\dwX, \t3\wX, \Q\wX
-
- uzp2 \c0\wX, \l0\wX, \h0\wX
- uzp2 \c1\wX, \l1\wX, \h1\wX
- uzp2 \c2\wX, \l2\wX, \h2\wX
- uzp2 \c3\wX, \l3\wX, \h3\wX
-
-.endm
-
-// add_sub, sub_add
-
-.macro wrap_qX_add_sub s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3, wX
-
- add \s0\wX, \a0\wX, \b0\wX
- sub \t0\wX, \a0\wX, \b0\wX
- add \s1\wX, \a1\wX, \b1\wX
- sub \t1\wX, \a1\wX, \b1\wX
- add \s2\wX, \a2\wX, \b2\wX
- sub \t2\wX, \a2\wX, \b2\wX
- add \s3\wX, \a3\wX, \b3\wX
- sub \t3\wX, \a3\wX, \b3\wX
-
-.endm
-
-.macro wrap_qX_sub_add s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3, wX
-
- sub \t0\wX, \a0\wX, \b0\wX
- add \s0\wX, \a0\wX, \b0\wX
- sub \t1\wX, \a1\wX, \b1\wX
- add \s1\wX, \a1\wX, \b1\wX
- sub \t2\wX, \a2\wX, \b2\wX
- add \s2\wX, \a2\wX, \b2\wX
- sub \t3\wX, \a3\wX, \b3\wX
- add \s3\wX, \a3\wX, \b3\wX
-
-.endm
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "reduce.h"
-#include <stdint.h>
-#include <stdio.h>
-
-#include "NTT_params.h"
-#include "ntt.h"
-
-
-/*************************************************
-* Name: ntt
-*
-* Description: Forward NTT, in-place. No modular reduction is performed after
-* additions or subtractions. Output vector is in bitreversed order.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void ntt(int32_t a[N]) {
- NTT(a);
-}
-
-/*************************************************
-* Name: invntt_tomont
-*
-* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
-* In-place. No modular reductions after additions or
-* subtractions; input coefficients need to be smaller than
-* Q in absolute value. Output coefficient are smaller than Q in
-* absolute value.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void invntt_tomont(int32_t a[N]) {
- iNTT(a);
-}
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef NTT_H
-#define NTT_H
-#include "NTT_params.h"
-#include "params.h"
-#include <stdint.h>
-
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_top(int *des, const int *table, const int *_constants);
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_bot(int *des, const int *table, const int *_constants);
-
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_top(int *des, const int *table, const int *_constants);
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_bot(int *des, const int *table, const int *_constants);
-
-#define NTT(in) { \
- PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_top(in, streamlined_CT_negacyclic_table_Q1_extended, constants); \
- PQCLEAN_DILITHIUM3_AARCH64__asm_ntt_SIMD_bot(in, streamlined_CT_negacyclic_table_Q1_extended, constants); \
- }
-
-#define iNTT(in) { \
- PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_bot(in, streamlined_inv_CT_table_Q1_extended, constants); \
- PQCLEAN_DILITHIUM3_AARCH64__asm_intt_SIMD_top(in, streamlined_inv_CT_table_Q1_extended, constants); \
- }
-
-#define ntt DILITHIUM_NAMESPACE(ntt)
-void ntt(int32_t a[ARRAY_N]);
-#define invntt_tomont DILITHIUM_NAMESPACE(invntt_tomont)
-void invntt_tomont(int32_t a[ARRAY_N]);
-
-static const int constants[16] = {
- Q1, -Q1prime, RmodQ1_prime_half, RmodQ1_doubleprime,
- invNQ1R2modQ1_prime_half,
- invNQ1R2modQ1_doubleprime,
- invNQ1_final_R2modQ1_prime_half,
- invNQ1_final_R2modQ1_doubleprime
-};
-
-static const int streamlined_CT_negacyclic_table_Q1_extended[(NTT_N + (1 << 0) + (1 << 4)) << 1] = {
- 0, 0, -915382907, -3572223, 964937599, 3765607, 963888510, 3761513, -820383522, -3201494, -738955404, -2883726, -806080660, -3145678, -820367122, -3201430, -154181397, -601683, 907762539, 3542485, 687336873, 2682288, 545785280, 2129892, 964747974, 3764867, -257592709, -1005239, 142848732, 557458, -312926867, -1221177, 0, 0, -863652652, -3370349, 923069133, 3602218, 815613168, 3182878, 787459213, 3073009, 327391679, 1277625, -675340520, -2635473, 987079667, 3852015, 449207, 1753, -495951789, -1935420, -681503850, -2659525, -373072124, -1455890, 681730119, 2660408, -456183549, -1780227, -15156688, -59148, 710479343, 2772600, 0, 0, -1041158200, -4063053, 702264730, 2740543, -919027554, -3586446, 1071989969, 4183372, -825844983, -3222807, -799869667, -3121440, -70227934, -274060, 302950022, 1182243, 22347069, 87208, 163212680, 636927, -1016110510, -3965306, -1013916752, -3956745, -588452222, -2296397, -841760171, -3284915, -952468207, -3716946, 0, 0, 682491182, 2663378, -797147778, -3110818, 538486762, 2101410, 642926661, 2508980, 519705671, 2028118, 496502727, 1937570, -977780347, -3815725, -7126831, -27812, 210776307, 822541, 258649997, 1009365, -628875181, -2454145, -507246529, -1979497, 409185979, 1596822, -1013967746, -3956944, -963363710, -3759465, 0, 0, -429120452, -1674615, 949361686, 3704823, 297218217, 1159875, 720393920, 2811291, -764594519, -2983781, -284313712, -1109516, 1065510939, 4158088, -431820817, -1685153, -873958779, -3410568, 686309310, 2678278, -965793731, -3768948, -909946047, -3551006, 162963861, 635956, -64176841, -250446, -629190881, -2455377, 0, 0, -903139016, -3524442, 101000509, 394148, 237992130, 928749, 391567239, 1528066, 123678909, 482649, 294395108, 1148858, -759080783, -2962264, -1062481036, -4146264, -454226054, -1772588, 561940831, 2192938, -442566669, -1727088, 611800717, 2387513, -925511710, -3611750, -68791907, -268456, -814992530, -3180456, 0, 0, -111244624, -434125, 280713909, 1095468, -898510625, -3506380, -144935890, -565603, 43482586, 169688, 631001801, 2462444, -854436357, -3334383, 960233614, 3747250, 588375860, 2296099, 317727459, 1239911, -983611064, -3838479, 818892658, 3195676, 677264190, 2642980, 321386456, 1254190, -3181859, -12417, 0, 0, 173376332, 676590, 530906624, 2071829, -1029866791, -4018989, -1067647297, -4166425, -893898890, -3488383, 509377762, 1987814, -819295484, -3197248, 768294260, 2998219, 36345249, 141835, -22883400, -89301, 643961400, 2513018, -347191365, -1354892, 157142369, 613238, -335754661, -1310261, -568482643, -2218467, 0, 0, -342333886, -1335936, 830756018, 3241972, 552488273, 2156050, 444930577, 1736313, 60323094, 235407, -832852657, -3250154, 834980303, 3258457, -117552223, -458740, -492511373, -1921994, 1035301089, 4040196, -889718424, -3472069, 522531086, 2039144, -481719139, -1879878, -209807681, -818761, -558360247, -2178965, 0, 0, -827143915, -3227876, 875112161, 3415069, 450833045, 1759347, -660934133, -2579253, 458160776, 1787943, -612717067, -2391089, -577774276, -2254727, -415984810, -1623354, 539479988, 2105286, -608441020, -2374402, -521163479, -2033807, 150224382, 586241, -302276083, -1179613, 135295244, 527981, -702999655, -2743411, 0, 0, 439288460, 1714295, -209493775, -817536, -915957677, -3574466, 892316032, 3482206, -1071872863, -4182915, -333129378, -1300016, -605279149, -2362063, -378477722, -1476985, 510974714, 1994046, 638402564, 2491325, -356997292, -1393159, 130156402, 507927, -304395785, -1187885, -185731180, -724804, -470097680, -1834526, 0, 0, 628833668, 2453983, 962678241, 3756790, -496048908, -1935799, -337655269, -1317678, 630730945, 2461387, 777970524, 3035980, 159173408, 621164, -777397036, -3033742, -86720197, -338420, 678549029, 2647994, 771248568, 3009748, -669544140, -2612853, 1063046068, 4148469, 192079267, 749577, -1030830548, -4022750, 0, 0, 374309300, 1460718, -439978542, -1716988, -1012201926, -3950053, 999753034, 3901472, -314332144, -1226661, 749740976, 2925816, 864652284, 3374250, 1020029345, 3980599, 658309618, 2569011, -413979908, -1615530, 441577800, 1723229, 426738094, 1665318, 519685171, 2028038, 298172236, 1163598, -863376927, -3369273, 0, 0, -164673562, -642628, -742437332, -2897314, 818041395, 3192354, 347590090, 1356448, -711287812, -2775755, 687588511, 2683270, -712065019, -2778788, 1023635298, 3994671, -3043996, -11879, -351195274, -1370517, 773976352, 3020393, 861908357, 3363542, 55063046, 214880, 139752717, 545376, -197425671, -770441, 0, 0, -918682129, -3585098, 142694469, 556856, 991769559, 3870317, -888589898, -3467665, 592665232, 2312838, -167401858, -653275, -117660617, -459163, 795799901, 3105558, -282732136, -1103344, 130212265, 508145, -141890356, -553718, 220412084, 860144, 879049958, 3430436, 35937555, 140244, -388001774, -1514152, 0, 0, 721508096, 2815639, 747568486, 2917338, 475038184, 1853806, 89383150, 348812, -84011120, -327848, 259126110, 1011223, -603268097, -2354215, -559928242, -2185084, 800464680, 3123762, 604333585, 2358373, -561979013, -2193087, -772445769, -3014420, -439933955, -1716814, 749801963, 2926054, -100631253, -392707, 0, 0, 585207070, 2283733, 857403734, 3345963, 476219497, 1858416, -978523985, -3818627, -492577742, -1922253, -573161516, -2236726, 447030292, 1744507, -77645096, -303005, 904878186, 3531229, -1018462631, -3974485, -967019376, -3773731, 486888731, 1900052, -200355636, -781875, 270210213, 1054478, -187430119, -731434, 0, 0
-};
-
-static const int streamlined_inv_CT_table_Q1_extended[(NTT_N + (1 << 0) + (1 << 4)) << 1] = {
- 0, 0, 915382907, 3572223, -963888510, -3761513, -964937599, -3765607, 820367122, 3201430, 806080660, 3145678, 738955404, 2883726, 820383522, 3201494, 312926867, 1221177, -142848732, -557458, 257592709, 1005239, -964747974, -3764867, -545785280, -2129892, -687336873, -2682288, -907762539, -3542485, 154181397, 601683, 0, 0, -585207070, -2283733, -476219497, -1858416, -857403734, -3345963, -447030292, -1744507, 573161516, 2236726, 492577742, 1922253, 978523985, 3818627, 187430119, 731434, -270210213, -1054478, 200355636, 781875, -486888731, -1900052, 967019376, 3773731, 1018462631, 3974485, -904878186, -3531229, 77645096, 303005, 0, 0, -721508096, -2815639, -475038184, -1853806, -747568486, -2917338, 603268097, 2354215, -259126110, -1011223, 84011120, 327848, -89383150, -348812, 100631253, 392707, -749801963, -2926054, 439933955, 1716814, 772445769, 3014420, 561979013, 2193087, -604333585, -2358373, -800464680, -3123762, 559928242, 2185084, 0, 0, 918682129, 3585098, -991769559, -3870317, -142694469, -556856, 117660617, 459163, 167401858, 653275, -592665232, -2312838, 888589898, 3467665, 388001774, 1514152, -35937555, -140244, -879049958, -3430436, -220412084, -860144, 141890356, 553718, -130212265, -508145, 282732136, 1103344, -795799901, -3105558, 0, 0, 164673562, 642628, -818041395, -3192354, 742437332, 2897314, 712065019, 2778788, -687588511, -2683270, 711287812, 2775755, -347590090, -1356448, 197425671, 770441, -139752717, -545376, -55063046, -214880, -861908357, -3363542, -773976352, -3020393, 351195274, 1370517, 3043996, 11879, -1023635298, -3994671, 0, 0, -374309300, -1460718, 1012201926, 3950053, 439978542, 1716988, -864652284, -3374250, -749740976, -2925816, 314332144, 1226661, -999753034, -3901472, 863376927, 3369273, -298172236, -1163598, -519685171, -2028038, -426738094, -1665318, -441577800, -1723229, 413979908, 1615530, -658309618, -2569011, -1020029345, -3980599, 0, 0, -628833668, -2453983, 496048908, 1935799, -962678241, -3756790, -159173408, -621164, -777970524, -3035980, -630730945, -2461387, 337655269, 1317678, 1030830548, 4022750, -192079267, -749577, -1063046068, -4148469, 669544140, 2612853, -771248568, -3009748, -678549029, -2647994, 86720197, 338420, 777397036, 3033742, 0, 0, -439288460, -1714295, 915957677, 3574466, 209493775, 817536, 605279149, 2362063, 333129378, 1300016, 1071872863, 4182915, -892316032, -3482206, 470097680, 1834526, 185731180, 724804, 304395785, 1187885, -130156402, -507927, 356997292, 1393159, -638402564, -2491325, -510974714, -1994046, 378477722, 1476985, 0, 0, 827143915, 3227876, -450833045, -1759347, -875112161, -3415069, 577774276, 2254727, 612717067, 2391089, -458160776, -1787943, 660934133, 2579253, 702999655, 2743411, -135295244, -527981, 302276083, 1179613, -150224382, -586241, 521163479, 2033807, 608441020, 2374402, -539479988, -2105286, 415984810, 1623354, 0, 0, 342333886, 1335936, -552488273, -2156050, -830756018, -3241972, -834980303, -3258457, 832852657, 3250154, -60323094, -235407, -444930577, -1736313, 558360247, 2178965, 209807681, 818761, 481719139, 1879878, -522531086, -2039144, 889718424, 3472069, -1035301089, -4040196, 492511373, 1921994, 117552223, 458740, 0, 0, -173376332, -676590, 1029866791, 4018989, -530906624, -2071829, 819295484, 3197248, -509377762, -1987814, 893898890, 3488383, 1067647297, 4166425, 568482643, 2218467, 335754661, 1310261, -157142369, -613238, 347191365, 1354892, -643961400, -2513018, 22883400, 89301, -36345249, -141835, -768294260, -2998219, 0, 0, 111244624, 434125, 898510625, 3506380, -280713909, -1095468, 854436357, 3334383, -631001801, -2462444, -43482586, -169688, 144935890, 565603, 3181859, 12417, -321386456, -1254190, -677264190, -2642980, -818892658, -3195676, 983611064, 3838479, -317727459, -1239911, -588375860, -2296099, -960233614, -3747250, 0, 0, 903139016, 3524442, -237992130, -928749, -101000509, -394148, 759080783, 2962264, -294395108, -1148858, -123678909, -482649, -391567239, -1528066, 814992530, 3180456, 68791907, 268456, 925511710, 3611750, -611800717, -2387513, 442566669, 1727088, -561940831, -2192938, 454226054, 1772588, 1062481036, 4146264, 0, 0, 429120452, 1674615, -297218217, -1159875, -949361686, -3704823, -1065510939, -4158088, 284313712, 1109516, 764594519, 2983781, -720393920, -2811291, 629190881, 2455377, 64176841, 250446, -162963861, -635956, 909946047, 3551006, 965793731, 3768948, -686309310, -2678278, 873958779, 3410568, 431820817, 1685153, 0, 0, -682491182, -2663378, -538486762, -2101410, 797147778, 3110818, 977780347, 3815725, -496502727, -1937570, -519705671, -2028118, -642926661, -2508980, 963363710, 3759465, 1013967746, 3956944, -409185979, -1596822, 507246529, 1979497, 628875181, 2454145, -258649997, -1009365, -210776307, -822541, 7126831, 27812, 0, 0, 1041158200, 4063053, 919027554, 3586446, -702264730, -2740543, 70227934, 274060, 799869667, 3121440, 825844983, 3222807, -1071989969, -4183372, 952468207, 3716946, 841760171, 3284915, 588452222, 2296397, 1013916752, 3956745, 1016110510, 3965306, -163212680, -636927, -22347069, -87208, -302950022, -1182243, 0, 0, 863652652, 3370349, -815613168, -3182878, -923069133, -3602218, -987079667, -3852015, 675340520, 2635473, -327391679, -1277625, -787459213, -3073009, -710479343, -2772600, 15156688, 59148, 456183549, 1780227, -681730119, -2660408, 373072124, 1455890, 681503850, 2659525, 495951789, 1935420, -449207, -1753, 0, 0
-};
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "packing.h"
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- pk[i] = rho[i];
- }
- pk += SEEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]);
- }
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES]) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- rho[i] = pk[i];
- }
- pk += SEEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES);
- }
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = rho[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = key[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = tr[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
- }
- sk += L * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]);
- }
- sk += K * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]);
- }
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- rho[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- key[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- tr[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);
- }
- sk += L * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES);
- }
- sk += K * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES);
- }
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h) {
- unsigned int i, j, k;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sig[i] = c[i];
- }
- sig += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]);
- }
- sig += L * POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for (i = 0; i < OMEGA + K; ++i) {
- sig[i] = 0;
- }
-
- k = 0;
- for (i = 0; i < K; ++i) {
- for (j = 0; j < N; ++j) {
- if (h->vec[i].coeffs[j] != 0) {
- sig[k++] = (uint8_t) j;
- }
- }
-
- sig[OMEGA + i] = (uint8_t) k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES]) {
- unsigned int i, j, k;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- c[i] = sig[i];
- }
- sig += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES);
- }
- sig += L * POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for (i = 0; i < K; ++i) {
- for (j = 0; j < N; ++j) {
- h->vec[i].coeffs[j] = 0;
- }
-
- if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) {
- return 1;
- }
-
- for (j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if (j > k && sig[j] <= sig[j - 1]) {
- return 1;
- }
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for (j = k; j < OMEGA; ++j) {
- if (sig[j]) {
- return 1;
- }
- }
-
- return 0;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PACKING_H
-#define PACKING_H
-#include "params.h"
-#include "polyvec.h"
-#include <stdint.h>
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PARAMS_H
-#define PARAMS_H
-
-//#define DILITHIUM_MODE 2
-#define DILITHIUM_MODE 3
-//#define DILITHIUM_MODE 5
-
-#define CRYPTO_NAMESPACETOP PQCLEAN_DILITHIUM3_AARCH64_crypto_sign
-#define CRYPTO_NAMESPACE(s) PQCLEAN_DILITHIUM3_AARCH64_##s
-#define DILITHIUM_NAMESPACETOP CRYPTO_NAMESPACETOP
-#define DILITHIUM_NAMESPACE(s) CRYPTO_NAMESPACE(s)
-
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define DILITHIUM_Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((DILITHIUM_Q-1)/32)
-#define OMEGA 55
-#define CRYPTO_ALGNAME "Dilithium3"
-
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (DILITHIUM_Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (DILITHIUM_Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#define POLYETA_PACKEDBYTES 128
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "poly.h"
-#include "reduce.h"
-#include "rounding.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-#include "fips202x2.h"
-
-#include "NTT_params.h"
-#include "ntt.h"
-
-static const int32_t montgomery_const[4] = {
- DILITHIUM_Q, DILITHIUM_QINV
-};
-
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_poly_reduce(int32_t *, const int32_t *);
-void poly_reduce(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM3_AARCH64__asm_poly_reduce(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_caddq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_poly_caddq(int32_t *, const int32_t *);
-void poly_caddq(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM3_AARCH64__asm_poly_caddq(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_freeze
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* standard representatives.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_poly_freeze(int32_t *, const int32_t *);
-void poly_freeze(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM3_AARCH64__asm_poly_freeze(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = a->coeffs[i] - b->coeffs[i];
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- a->coeffs[i] <<= D;
- }
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_tomont(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_poly_pointwise_montgomery(int32_t *des, const int32_t *src1, const int32_t *src2, const int32_t *table);
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM3_AARCH64__asm_poly_pointwise_montgomery(c->coeffs, a->coeffs, b->coeffs, montgomery_const);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_poly_power2round(int32_t *, int32_t *, const int32_t *);
-void poly_power2round(poly *a1, poly *a0, const poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM3_AARCH64__asm_poly_power2round(a1->coeffs, a0->coeffs, a->coeffs);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- a1->coeffs[i] = decompose(&a0->coeffs[i], a->coeffs[i]);
- }
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint polynomial. The coefficients of which indicate
-* whether the low bits of the corresponding coefficient of
-* the input polynomial overflow into the high bits.
-*
-* Arguments: - poly *h: pointer to output hint polynomial
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
- unsigned int i, s = 0;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- h->coeffs[i] = make_hint(a0->coeffs[i], a1->coeffs[i]);
- s += h->coeffs[i];
- }
-
- DBENCH_STOP(*tround);
- return s;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- b->coeffs[i] = use_hint(a->coeffs[i], h->coeffs[i]);
- }
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input coefficients were reduced by reduce32().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int32_t t;
- DBENCH_START();
-
- if (B > (DILITHIUM_Q - 1) / 8) {
- return 1;
- }
-
- /* It is ok to leak which coefficient violates the bound since
- the probability for each coefficient is independent of secret
- data but we must not leak the sign of the centralized representative. */
- for (i = 0; i < N; ++i) {
- /* Absolute value */
- t = a->coeffs[i] >> 31;
- t = a->coeffs[i] - (t & 2 * a->coeffs[i]);
-
- if (t >= B) {
- DBENCH_STOP(*tsample);
- return 1;
- }
- }
-
- DBENCH_STOP(*tsample);
- return 0;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen) {
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while (ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if (t < DILITHIUM_Q) {
- a[ctr++] = t;
- }
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-
-#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce) {
- unsigned int i, ctr, off;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
- stream128_state state;
-
- stream128_init(&state, seed, nonce);
- stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state);
-
- ctr = rej_uniform(a->coeffs, N, buf, buflen);
-
- while (ctr < N) {
- off = buflen % 3;
- for (i = 0; i < off; ++i) {
- buf[i] = buf[buflen - off + i];
- }
-
- stream128_squeezeblocks(buf + off, 1, &state);
- buflen = STREAM128_BLOCKBYTES + off;
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
- }
- stream128_release(&state);
-}
-
-void poly_uniformx2(poly *a0, poly *a1,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0, uint16_t nonce1) {
- unsigned int ctr0, ctr1;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES;
- uint8_t buf0[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
- uint8_t buf1[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
-
- keccakx2_state statex2;
- dilithium_shake128x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake128x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_NBLOCKS, &statex2);
-
- ctr0 = rej_uniform(a0->coeffs, N, buf0, buflen);
- ctr1 = rej_uniform(a1->coeffs, N, buf1, buflen);
-
- while (ctr0 < N || ctr1 < N) {
- shake128x2_squeezeblocks(buf0, buf1, 1, &statex2);
- ctr0 += rej_uniform(a0->coeffs + ctr0, N - ctr0, buf0, buflen);
- ctr1 += rej_uniform(a1->coeffs + ctr1, N - ctr1, buf1, buflen);
- }
-
-
-}
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen) {
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while (ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-
- if (t0 < 9) {
- a[ctr++] = 4 - t0;
- }
- if (t1 < 9 && ctr < len) {
- a[ctr++] = 4 - t1;
- }
-
-
-
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce) {
- unsigned int ctr;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr = rej_eta(a->coeffs, N, buf, buflen);
-
- while (ctr < N) {
- stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
- }
- stream256_release(&state);
-}
-
-void poly_uniform_etax2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1) {
- unsigned int ctr0, ctr1;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
-
- uint8_t buf0[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
- uint8_t buf1[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
-
- keccakx2_state statex2;
-
- dilithium_shake256x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake256x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_ETA_NBLOCKS, &statex2);
-
- ctr0 = rej_eta(a0->coeffs, N, buf0, buflen);
- ctr1 = rej_eta(a1->coeffs, N, buf1, buflen);
-
- while (ctr0 < N || ctr1 < N) {
- shake256x2_squeezeblocks(buf0, buf1, 1, &statex2);
- ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf0, STREAM256_BLOCKBYTES);
- ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf1, STREAM256_BLOCKBYTES);
- }
-}
-
-/*************************************************
-* Name: poly_uniform_gamma1m1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce) {
- uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- stream256_release(&state);
- polyz_unpack(a, buf);
-}
-
-void poly_uniform_gamma1x2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1) {
-
- uint8_t buf0[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
- uint8_t buf1[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
-
- keccakx2_state statex2;
-
- dilithium_shake256x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake256x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_GAMMA1_NBLOCKS, &statex2);
-
- polyz_unpack(a0, buf0);
- polyz_unpack(a1, buf1);
-
-}
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- uint8_t buf[SHAKE256_RATE];
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf, sizeof buf, &state);
-
- signs = 0;
- for (i = 0; i < 8; ++i) {
- signs |= (uint64_t)buf[i] << 8 * i;
- }
- pos = 8;
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = 0;
- }
- for (i = N - TAU; i < N; ++i) {
- do {
- if (pos >= SHAKE256_RATE) {
- shake256_inc_squeeze(buf, sizeof buf, &state);
- pos = 0;
- }
-
- b = buf[pos++];
- } while (b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2 * (signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-
- for (i = 0; i < N / 2; ++i) {
- t[0] = ETA - a->coeffs[2 * i + 0];
- t[1] = ETA - a->coeffs[2 * i + 1];
- r[i] = t[0] | (t[1] << 4);
- }
-
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-
- for (i = 0; i < N / 2; ++i) {
- r->coeffs[2 * i + 0] = a[i] & 0x0F;
- r->coeffs[2 * i + 1] = a[i] >> 4;
- r->coeffs[2 * i + 0] = ETA - r->coeffs[2 * i + 0];
- r->coeffs[2 * i + 1] = ETA - r->coeffs[2 * i + 1];
- }
-
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N / 4; ++i) {
- r[5 * i + 0] = (uint8_t) (a->coeffs[4 * i + 0] >> 0);
- r[5 * i + 1] = (uint8_t) ((a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2));
- r[5 * i + 2] = (uint8_t) ((a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4));
- r[5 * i + 3] = (uint8_t) ((a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6));
- r[5 * i + 4] = (uint8_t) (a->coeffs[4 * i + 3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_10_to_32(int32_t *, const uint8_t *);
-void polyt1_unpack(poly *r, const uint8_t *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM3_AARCH64__asm_10_to_32(r->coeffs, a);
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for (i = 0; i < N / 8; ++i) {
- t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0];
- t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1];
- t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2];
- t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3];
- t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4];
- t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5];
- t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6];
- t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7];
-
- r[13 * i + 0] = (uint8_t) t[0];
- r[13 * i + 1] = (uint8_t) (t[0] >> 8);
- r[13 * i + 1] |= (uint8_t) (t[1] << 5);
- r[13 * i + 2] = (uint8_t) (t[1] >> 3);
- r[13 * i + 3] = (uint8_t) (t[1] >> 11);
- r[13 * i + 3] |= (uint8_t) (t[2] << 2);
- r[13 * i + 4] = (uint8_t) (t[2] >> 6);
- r[13 * i + 4] |= (uint8_t) (t[3] << 7);
- r[13 * i + 5] = (uint8_t) (t[3] >> 1);
- r[13 * i + 6] = (uint8_t) (t[3] >> 9);
- r[13 * i + 6] |= (uint8_t) (t[4] << 4);
- r[13 * i + 7] = (uint8_t) (t[4] >> 4);
- r[13 * i + 8] = (uint8_t) (t[4] >> 12);
- r[13 * i + 8] |= (uint8_t) (t[5] << 1);
- r[13 * i + 9] = (uint8_t) (t[5] >> 7);
- r[13 * i + 9] |= (uint8_t) (t[6] << 6);
- r[13 * i + 10] = (uint8_t) (t[6] >> 2);
- r[13 * i + 11] = (uint8_t) (t[6] >> 10);
- r[13 * i + 11] |= (uint8_t) (t[7] << 3);
- r[13 * i + 12] = (uint8_t) (t[7] >> 5);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N / 8; ++i) {
- r->coeffs[8 * i + 0] = a[13 * i + 0];
- r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8;
- r->coeffs[8 * i + 0] &= 0x1FFF;
-
- r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5;
- r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3;
- r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11;
- r->coeffs[8 * i + 1] &= 0x1FFF;
-
- r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2;
- r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6;
- r->coeffs[8 * i + 2] &= 0x1FFF;
-
- r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7;
- r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1;
- r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9;
- r->coeffs[8 * i + 3] &= 0x1FFF;
-
- r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4;
- r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4;
- r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12;
- r->coeffs[8 * i + 4] &= 0x1FFF;
-
- r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1;
- r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7;
- r->coeffs[8 * i + 5] &= 0x1FFF;
-
- r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6;
- r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2;
- r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10;
- r->coeffs[8 * i + 6] &= 0x1FFF;
-
- r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3;
- r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5;
- r->coeffs[8 * i + 7] &= 0x1FFF;
-
- r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0];
- r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1];
- r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2];
- r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3];
- r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4];
- r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5];
- r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6];
- r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
- #if GAMMA1 == (1 << 17)
-
- for (i = 0; i < N / 4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4 * i + 0];
- t[1] = GAMMA1 - a->coeffs[4 * i + 1];
- t[2] = GAMMA1 - a->coeffs[4 * i + 2];
- t[3] = GAMMA1 - a->coeffs[4 * i + 3];
-
- r[9 * i + 0] = t[0];
- r[9 * i + 1] = t[0] >> 8;
- r[9 * i + 2] = t[0] >> 16;
- r[9 * i + 2] |= t[1] << 2;
- r[9 * i + 3] = t[1] >> 6;
- r[9 * i + 4] = t[1] >> 14;
- r[9 * i + 4] |= t[2] << 4;
- r[9 * i + 5] = t[2] >> 4;
- r[9 * i + 6] = t[2] >> 12;
- r[9 * i + 6] |= t[3] << 6;
- r[9 * i + 7] = t[3] >> 2;
- r[9 * i + 8] = t[3] >> 10;
- }
-
- #elif GAMMA1 == (1 << 19)
-
- for (i = 0; i < N / 2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2 * i + 0];
- t[1] = GAMMA1 - a->coeffs[2 * i + 1];
-
- r[5 * i + 0] = t[0];
- r[5 * i + 1] = t[0] >> 8;
- r[5 * i + 2] = t[0] >> 16;
- r[5 * i + 2] |= t[1] << 4;
- r[5 * i + 3] = t[1] >> 4;
- r[5 * i + 4] = t[1] >> 12;
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyz_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- #if GAMMA1 == (1 << 17)
-
- for (i = 0; i < N / 4; ++i) {
- r->coeffs[4 * i + 0] = a[9 * i + 0];
- r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 1] << 8;
- r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 2] << 16;
- r->coeffs[4 * i + 0] &= 0x3FFFF;
-
- r->coeffs[4 * i + 1] = a[9 * i + 2] >> 2;
- r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 3] << 6;
- r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 4] << 14;
- r->coeffs[4 * i + 1] &= 0x3FFFF;
-
- r->coeffs[4 * i + 2] = a[9 * i + 4] >> 4;
- r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 5] << 4;
- r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 6] << 12;
- r->coeffs[4 * i + 2] &= 0x3FFFF;
-
- r->coeffs[4 * i + 3] = a[9 * i + 6] >> 6;
- r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 7] << 2;
- r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 8] << 10;
- r->coeffs[4 * i + 3] &= 0x3FFFF;
-
- r->coeffs[4 * i + 0] = GAMMA1 - r->coeffs[4 * i + 0];
- r->coeffs[4 * i + 1] = GAMMA1 - r->coeffs[4 * i + 1];
- r->coeffs[4 * i + 2] = GAMMA1 - r->coeffs[4 * i + 2];
- r->coeffs[4 * i + 3] = GAMMA1 - r->coeffs[4 * i + 3];
- }
-
- #elif GAMMA1 == (1 << 19)
-
- for (i = 0; i < N / 2; ++i) {
- r->coeffs[2 * i + 0] = a[5 * i + 0];
- r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 1] << 8;
- r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 2] << 16;
- r->coeffs[2 * i + 0] &= 0xFFFFF;
-
- r->coeffs[2 * i + 1] = a[5 * i + 2] >> 4;
- r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 3] << 4;
- r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 4] << 12;
- r->coeffs[2 * i + 0] &= 0xFFFFF;
-
- r->coeffs[2 * i + 0] = GAMMA1 - r->coeffs[2 * i + 0];
- r->coeffs[2 * i + 1] = GAMMA1 - r->coeffs[2 * i + 1];
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyw1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- #if GAMMA2 == (DILITHIUM_Q-1)/88
-
- for (i = 0; i < N / 4; ++i) {
- r[3 * i + 0] = a->coeffs[4 * i + 0];
- r[3 * i + 0] |= a->coeffs[4 * i + 1] << 6;
- r[3 * i + 1] = a->coeffs[4 * i + 1] >> 2;
- r[3 * i + 1] |= a->coeffs[4 * i + 2] << 4;
- r[3 * i + 2] = a->coeffs[4 * i + 2] >> 4;
- r[3 * i + 2] |= a->coeffs[4 * i + 3] << 2;
- }
-
- #elif GAMMA2 == (DILITHIUM_Q-1)/32
-
- for (i = 0; i < N / 2; ++i) {
- r[i] = a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4);
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef POLY_H
-#define POLY_H
-#include "params.h"
-#include <stdint.h>
-
-typedef struct {
- int32_t coeffs[N];
-} poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-#define poly_freeze DILITHIUM_NAMESPACE(poly_freeze)
-void poly_freeze(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-#define poly_uniformx2 DILITHIUM_NAMESPACE(poly_uniformx2)
-void poly_uniformx2(poly *a0, poly *a1,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_etax2 DILITHIUM_NAMESPACE(poly_uniform_etax2)
-void poly_uniform_etax2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_gamma1x2 DILITHIUM_NAMESPACE(poly_uniform_gamma1x2)
-void poly_uniform_gamma1x2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t *r, const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t *a);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t *r, const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t *a);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t *r, const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t *a);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t *r, const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include <stdint.h>
-
-#include "reduce.h"
-
-static const int32_t l_montgomery_const[4] = {
- DILITHIUM_Q, DILITHIUM_QINV
-};
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
-
- for (j = 0; j < L; ++j) {
- for (i = 0; i < K; i += 2) {
- poly_uniformx2(&mat[i + 0].vec[j], &mat[i + 1].vec[j], rho, (uint16_t) ((i << 8) + j), (uint16_t) (((i + 1) << 8) + j));
- }
- }
-}
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
- }
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_uniform_eta(&v->vec[i], seed, nonce++);
- }
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < L - 1; i += 2) {
- poly_uniform_gamma1x2(&v->vec[i + 0], &v->vec[i + 1], seed, (uint16_t) (L * nonce + i + 0), (uint16_t) (L * nonce + i + 1));
- }
- if (L & 1) {
- poly_uniform_gamma1(&v->vec[i], seed, (uint16_t) (L * nonce + L - 1));
- }
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_reduce(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_freeze
-*
-* Description: Reduce coefficients of polynomials in vector of length L
-* to standard representatives.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_freeze(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_freeze(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_ntt(&v->vec[i]);
- }
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_invntt_tomont(&v->vec[i]);
- }
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-extern void PQCLEAN_DILITHIUM3_AARCH64__asm_polyvecl_pointwise_acc_montgomery(int32_t *, const int32_t *, const int32_t *, const int32_t *);
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v) {
- PQCLEAN_DILITHIUM3_AARCH64__asm_polyvecl_pointwise_acc_montgomery(w->coeffs, u->vec[0].coeffs, v->vec[0].coeffs, l_montgomery_const);
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- if (poly_chknorm(&v->vec[i], bound)) {
- return 1;
- }
- }
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_uniform_eta(&v->vec[i], seed, nonce++);
- }
-
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_reduce(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_caddq(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_freeze
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to standard representatives.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_freeze(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_freeze(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_shiftl(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_ntt(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_invntt_tomont(&v->vec[i]);
- }
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
- }
-}
-
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- if (poly_chknorm(&v->vec[i], bound)) {
- return 1;
- }
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - polyveck *h: pointer to output vector
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1) {
- unsigned int i, s = 0;
-
- for (i = 0; i < K; ++i) {
- s += poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
- }
-
- return s;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
- }
-}
-
-void polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]);
- }
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef POLYVEC_H
-#define POLYVEC_H
-#include "params.h"
-#include "poly.h"
-#include <stdint.h>
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_freeze DILITHIUM_NAMESPACE(polyvecl_freeze)
-void polyvecl_freeze(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-#define polyveck_freeze DILITHIUM_NAMESPACE(polyveck_freeze)
-void polyveck_freeze(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "params.h"
-#include "reduce.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: montgomery_reduce
-*
-* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
-* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
-*
-* Arguments: - int64_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t montgomery_reduce(int64_t a) {
- int32_t t;
-
- t = (int32_t)((uint64_t)a * (uint64_t)DILITHIUM_QINV);
- t = (a - (int64_t)t * DILITHIUM_Q) >> 32;
- return t;
-}
-
-/*************************************************
-* Name: reduce32
-*
-* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t reduce32(int32_t a) {
- int32_t t;
-
- t = (a + (1 << 22)) >> 23;
- t = a - t * DILITHIUM_Q;
- return t;
-}
-
-/*************************************************
-* Name: caddq
-*
-* Description: Add Q if input coefficient is negative.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t caddq(int32_t a) {
- a += (a >> 31) & DILITHIUM_Q;
- return a;
-}
-
-/*************************************************
-* Name: freeze
-*
-* Description: For finite field element a, compute standard
-* representative r = a mod^+ Q.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t freeze(int32_t a) {
- a = reduce32(a);
- a = caddq(a);
- return a;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef REDUCE_H
-#define REDUCE_H
-#include "params.h"
-#include <stdint.h>
-
-#define DILITHIUM_QINV 58728449 // q^(-1) mod 2^32
-
-#define montgomery_reduce DILITHIUM_NAMESPACE(montgomery_reduce)
-int32_t montgomery_reduce(int64_t a);
-
-#define reduce32 DILITHIUM_NAMESPACE(reduce32)
-int32_t reduce32(int32_t a);
-
-#define caddq DILITHIUM_NAMESPACE(caddq)
-int32_t caddq(int32_t a);
-
-#define freeze DILITHIUM_NAMESPACE(freeze)
-int32_t freeze(int32_t a);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "params.h"
-#include "rounding.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field element a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be standard representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t power2round(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + (1 << (D - 1)) - 1) >> D;
- *a0 = a - (a1 << D);
- return a1;
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low bits a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard
-* representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t decompose(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + 127) >> 7;
- #if GAMMA2 == (DILITHIUM_Q-1)/32
-
- a1 = (a1 * 1025 + (1 << 21)) >> 22;
- a1 &= 15;
-
- #elif GAMMA2 == (DILITHIUM_Q-1)/88
-
- a1 = (a1 * 11275 + (1 << 23)) >> 24;
- a1 ^= ((43 - a1) >> 31) & a1;
-
- #else
-
-#error "No parameter specified"
-
- #endif
-
- *a0 = a - a1 * 2 * GAMMA2;
- *a0 -= (((DILITHIUM_Q - 1) / 2 - *a0) >> 31) & DILITHIUM_Q;
- return a1;
-}
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute hint bit indicating whether the low bits of the
-* input element overflow into the high bits.
-*
-* Arguments: - int32_t a0: low bits of input element
-* - int32_t a1: high bits of input element
-*
-* Returns 1 if overflow.
-**************************************************/
-unsigned int make_hint(int32_t a0, int32_t a1) {
- if (a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0)) {
- return 1;
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high bits according to hint.
-*
-* Arguments: - int32_t a: input element
-* - unsigned int hint: hint bit
-*
-* Returns corrected high bits.
-**************************************************/
-int32_t use_hint(int32_t a, unsigned int hint) {
- int32_t a0, a1;
-
- a1 = decompose(&a0, a);
- if (hint == 0) {
- return a1;
- }
-
- #if GAMMA2 == (DILITHIUM_Q-1)/32
-
- if (a0 > 0) {
- return (a1 + 1) & 15;
- }
- return (a1 - 1) & 15;
- #elif GAMMA2 == (DILITHIUM_Q-1)/88
-
- if (a0 > 0) {
- return (a1 == 43) ? 0 : a1 + 1;
- }
- return (a1 == 0) ? 43 : a1 - 1;
- #endif
-
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef ROUNDING_H
-#define ROUNDING_H
-#include "params.h"
-#include <stdint.h>
-
-#define power2round DILITHIUM_NAMESPACE(power2round)
-int32_t power2round(int32_t *a0, int32_t a);
-
-#define decompose DILITHIUM_NAMESPACE(decompose)
-int32_t decompose(int32_t *a0, int32_t a);
-
-#define make_hint DILITHIUM_NAMESPACE(make_hint)
-unsigned int make_hint(int32_t a0, int32_t a1);
-
-#define use_hint DILITHIUM_NAMESPACE(use_hint)
-int32_t use_hint(int32_t a, unsigned int hint);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "fips202.h"
-#include "packing.h"
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include "randombytes.h"
-#include "sign.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
- const uint8_t *rho, *rhoprime, *key;
- polyvecl mat[K];
- polyvecl s1, s1hat;
- polyveck s2, t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Expand matrix */
- polyvec_matrix_expand(mat, rho);
-
- /* Sample short vectors s1 and s2 */
- polyvecl_uniform_eta(&s1, rhoprime, 0);
- polyveck_uniform_eta(&s2, rhoprime, L);
-
- /* Matrix-vector multiplication */
- s1hat = s1;
- polyvecl_ntt(&s1hat);
- polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat);
- polyveck_reduce(&t1);
- polyveck_invntt_tomont(&t1);
-
- /* Add error vector s2 */
- polyveck_add(&t1, &t1, &s2);
-
- /* Extract t1 and write public key */
- polyveck_caddq(&t1);
- polyveck_power2round(&t1, &t0, &t1);
- pack_pk(pk, rho, &t1);
-
- /* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk) {
- unsigned int n;
- uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint16_t nonce = 0;
- polyvecl mat[K], s1, y, z;
- polyveck t0, s2, w1, w0, h;
- poly cp;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- // liboqs uses randomized signing for the reference and
- // avx2 implementations of dilithium. pqclean currently
- // doesn't support randomized signing, so this is patched
- // in. If/when pqclean adds randomized signing to dilithium
- // this will need to be updated.
- randombytes(rhoprime, CRHBYTES);
- //shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-rej:
- /* Sample intermediate vector y */
- polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
-
- /* Matrix-vector multiplication */
- z = y;
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- poly_challenge(&cp, sig);
- poly_ntt(&cp);
-
- /* Compute z, reject if it reveals secret */
- polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
- polyvecl_invntt_tomont(&z);
- polyvecl_add(&z, &z, &y);
- polyvecl_reduce(&z);
- if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
- goto rej;
- }
-
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
- polyveck_invntt_tomont(&h);
- polyveck_sub(&w0, &w0, &h);
- polyveck_reduce(&w0);
- if (polyveck_chknorm(&w0, GAMMA2 - BETA)) {
- goto rej;
- }
-
- /* Compute hints for w1 */
- polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
- polyveck_invntt_tomont(&h);
- polyveck_reduce(&h);
- if (polyveck_chknorm(&h, GAMMA2)) {
- goto rej;
- }
-
- polyveck_add(&w0, &w0, &h);
- n = polyveck_make_hint(&h, &w0, &w1);
- if (n > OMEGA) {
- goto rej;
- }
-
- /* Write signature */
- pack_sig(sig, sig, &z, &h);
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk) {
- size_t i;
-
- for (i = 0; i < mlen; ++i) {
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- }
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
- size_t siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pk) {
- unsigned int i;
- uint8_t buf[K * POLYW1_PACKEDBYTES];
- uint8_t rho[SEEDBYTES];
- uint8_t mu[CRHBYTES];
- uint8_t c[SEEDBYTES];
- uint8_t c2[SEEDBYTES];
- poly cp;
- polyvecl mat[K], z;
- polyveck t1, w1, h;
- shake256incctx state;
-
- if (siglen != CRYPTO_BYTES) {
- return -1;
- }
-
- unpack_pk(rho, &t1, pk);
- if (unpack_sig(c, &z, &h, sig)) {
- return -1;
- }
- if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
- return -1;
- }
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- /* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
- polyvec_matrix_expand(mat, rho);
-
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-
- poly_ntt(&cp);
- polyveck_shiftl(&t1);
- polyveck_ntt(&t1);
- polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
-
- polyveck_sub(&w1, &w1, &t1);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Reconstruct w1 */
- polyveck_caddq(&w1);
- polyveck_use_hint(&w1, &w1, &h);
- polyveck_pack_w1(buf, &w1);
-
- /* Call random oracle and verify challenge */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(c2, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for (i = 0; i < SEEDBYTES; ++i) {
- if (c[i] != c2[i]) {
- return -1;
- }
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m,
- size_t *mlen,
- const uint8_t *sm,
- size_t smlen,
- const uint8_t *pk) {
- size_t i;
-
- if (smlen < CRYPTO_BYTES) {
- goto badsig;
- }
-
- *mlen = smlen - CRYPTO_BYTES;
- if (crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk)) {
- goto badsig;
- } else {
- /* All good, copy msg, return 0 */
- for (i = 0; i < *mlen; ++i) {
- m[i] = sm[CRYPTO_BYTES + i];
- }
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = (size_t) -1;
- for (i = 0; i < smlen; ++i) {
- m[i] = 0;
- }
-
- return -1;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef SIGN_H
-#define SIGN_H
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include <stddef.h>
-#include <stdint.h>
-
-
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "fips202.h"
-#include "params.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
- uint8_t t[2];
- t[0] = (uint8_t) nonce;
- t[1] = (uint8_t) (nonce >> 8);
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- uint8_t t[2];
- t[0] = (uint8_t) nonce;
- t[1] = (uint8_t) (nonce >> 8);
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
-
-void dilithium_shake128x2_stream_init(keccakx2_state *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce1, uint16_t nonce2) {
- unsigned int i;
- uint8_t extseed1[SEEDBYTES + 2 + 14];
- uint8_t extseed2[SEEDBYTES + 2 + 14];
-
- for (i = 0; i < SEEDBYTES; i++) {
- extseed1[i] = seed[i];
- extseed2[i] = seed[i];
- }
- extseed1[SEEDBYTES] = (uint8_t) nonce1;
- extseed1[SEEDBYTES + 1] = (uint8_t) (nonce1 >> 8);
-
- extseed2[SEEDBYTES ] = (uint8_t) nonce2;
- extseed2[SEEDBYTES + 1] = (uint8_t) (nonce2 >> 8);
-
- shake128x2_absorb(state, extseed1, extseed2, SEEDBYTES + 2);
-}
-
-void dilithium_shake256x2_stream_init(keccakx2_state *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce1, uint16_t nonce2) {
- unsigned int i;
- uint8_t extseed1[CRHBYTES + 2 + 14];
- uint8_t extseed2[CRHBYTES + 2 + 14];
-
- for (i = 0; i < CRHBYTES; i++) {
- extseed1[i] = seed[i];
- extseed2[i] = seed[i];
- }
- extseed1[CRHBYTES] = (uint8_t) nonce1;
- extseed1[CRHBYTES + 1] = (uint8_t) (nonce1 >> 8);
-
- extseed2[CRHBYTES ] = (uint8_t) nonce2;
- extseed2[CRHBYTES + 1] = (uint8_t) (nonce2 >> 8);
-
- shake256x2_absorb(state, extseed1, extseed2, CRHBYTES + 2);
-}
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-#include "fips202.h"
-#include "fips202x2.h"
-#include "params.h"
-#include <stdint.h>
-
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-
-#define dilithium_shake128x2_stream_init DILITHIUM_NAMESPACE(dilithium_shake128x2_stream_init)
-void dilithium_shake128x2_stream_init(keccakx2_state *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce1, uint16_t nonce2);
-#define dilithium_shake256x2_stream_init DILITHIUM_NAMESPACE(dilithium_shake256x2_stream_init)
-void dilithium_shake256x2_stream_init(keccakx2_state *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce1, uint16_t nonce2);
-
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-
-#endif
+++ /dev/null
-Creative Commons Legal Code
-
-CC0 1.0 Universal
-
- CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
- LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
- ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
- INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
- REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
- PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
- THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
- HEREUNDER.
-
-Statement of Purpose
-
-The laws of most jurisdictions throughout the world automatically confer
-exclusive Copyright and Related Rights (defined below) upon the creator
-and subsequent owner(s) (each and all, an "owner") of an original work of
-authorship and/or a database (each, a "Work").
-
-Certain owners wish to permanently relinquish those rights to a Work for
-the purpose of contributing to a commons of creative, cultural and
-scientific works ("Commons") that the public can reliably and without fear
-of later claims of infringement build upon, modify, incorporate in other
-works, reuse and redistribute as freely as possible in any form whatsoever
-and for any purposes, including without limitation commercial purposes.
-These owners may contribute to the Commons to promote the ideal of a free
-culture and the further production of creative, cultural and scientific
-works, or to gain reputation or greater distribution for their Work in
-part through the use and efforts of others.
-
-For these and/or other purposes and motivations, and without any
-expectation of additional consideration or compensation, the person
-associating CC0 with a Work (the "Affirmer"), to the extent that he or she
-is an owner of Copyright and Related Rights in the Work, voluntarily
-elects to apply CC0 to the Work and publicly distribute the Work under its
-terms, with knowledge of his or her Copyright and Related Rights in the
-Work and the meaning and intended legal effect of CC0 on those rights.
-
-1. Copyright and Related Rights. A Work made available under CC0 may be
-protected by copyright and related or neighboring rights ("Copyright and
-Related Rights"). Copyright and Related Rights include, but are not
-limited to, the following:
-
- i. the right to reproduce, adapt, distribute, perform, display,
- communicate, and translate a Work;
- ii. moral rights retained by the original author(s) and/or performer(s);
-iii. publicity and privacy rights pertaining to a person's image or
- likeness depicted in a Work;
- iv. rights protecting against unfair competition in regards to a Work,
- subject to the limitations in paragraph 4(a), below;
- v. rights protecting the extraction, dissemination, use and reuse of data
- in a Work;
- vi. database rights (such as those arising under Directive 96/9/EC of the
- European Parliament and of the Council of 11 March 1996 on the legal
- protection of databases, and under any national implementation
- thereof, including any amended or successor version of such
- directive); and
-vii. other similar, equivalent or corresponding rights throughout the
- world based on applicable law or treaty, and any national
- implementations thereof.
-
-2. Waiver. To the greatest extent permitted by, but not in contravention
-of, applicable law, Affirmer hereby overtly, fully, permanently,
-irrevocably and unconditionally waives, abandons, and surrenders all of
-Affirmer's Copyright and Related Rights and associated claims and causes
-of action, whether now known or unknown (including existing as well as
-future claims and causes of action), in the Work (i) in all territories
-worldwide, (ii) for the maximum duration provided by applicable law or
-treaty (including future time extensions), (iii) in any current or future
-medium and for any number of copies, and (iv) for any purpose whatsoever,
-including without limitation commercial, advertising or promotional
-purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
-member of the public at large and to the detriment of Affirmer's heirs and
-successors, fully intending that such Waiver shall not be subject to
-revocation, rescission, cancellation, termination, or any other legal or
-equitable action to disrupt the quiet enjoyment of the Work by the public
-as contemplated by Affirmer's express Statement of Purpose.
-
-3. Public License Fallback. Should any part of the Waiver for any reason
-be judged legally invalid or ineffective under applicable law, then the
-Waiver shall be preserved to the maximum extent permitted taking into
-account Affirmer's express Statement of Purpose. In addition, to the
-extent the Waiver is so judged Affirmer hereby grants to each affected
-person a royalty-free, non transferable, non sublicensable, non exclusive,
-irrevocable and unconditional license to exercise Affirmer's Copyright and
-Related Rights in the Work (i) in all territories worldwide, (ii) for the
-maximum duration provided by applicable law or treaty (including future
-time extensions), (iii) in any current or future medium and for any number
-of copies, and (iv) for any purpose whatsoever, including without
-limitation commercial, advertising or promotional purposes (the
-"License"). The License shall be deemed effective as of the date CC0 was
-applied by Affirmer to the Work. Should any part of the License for any
-reason be judged legally invalid or ineffective under applicable law, such
-partial invalidity or ineffectiveness shall not invalidate the remainder
-of the License, and in such case Affirmer hereby affirms that he or she
-will not (i) exercise any of his or her remaining Copyright and Related
-Rights in the Work or (ii) assert any associated claims and causes of
-action with respect to the Work, in either case contrary to Affirmer's
-express Statement of Purpose.
-
-4. Limitations and Disclaimers.
-
- a. No trademark or patent rights held by Affirmer are waived, abandoned,
- surrendered, licensed or otherwise affected by this document.
- b. Affirmer offers the Work as-is and makes no representations or
- warranties of any kind concerning the Work, express, implied,
- statutory or otherwise, including without limitation warranties of
- title, merchantability, fitness for a particular purpose, non
- infringement, or the absence of latent or other defects, accuracy, or
- the present or absence of errors, whether or not discoverable, all to
- the greatest extent permissible under applicable law.
- c. Affirmer disclaims responsibility for clearing rights of other persons
- that may apply to the Work or any use thereof, including without
- limitation any person's Copyright and Related Rights in the Work.
- Further, Affirmer disclaims responsibility for obtaining any necessary
- consents, permissions or other rights required for any use of the
- Work.
- d. Affirmer understands and acknowledges that Creative Commons is not a
- party to this document and has no duty or obligation with respect to
- this CC0 or use of the Work.
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef NTT_PARAMS_H
-#define NTT_PARAMS_H
-
-#define ARRAY_N 256
-
-#define NTT_N 256
-#define LOGNTT_N 8
-
-// root of unity: 1753
-
-
-// Q1
-#define Q1 8380417
-// omegaQ1 = 1753 mod Q1
-#define omegaQ1 1753
-// invomegaQ1 = omegaQ^{-1} mod Q1
-#define invomegaQ1 731434
-// R = 2^32 below
-// RmodQ1 = 2^32 mod^{+-} Q1
-#define RmodQ1 (-4186625)
-// Q1prime = Q1^{-1} mod^{+-} 2^32
-#define Q1prime 58728449
-// invNQ1 = NTT_N^{-1} mod Q1
-#define invNQ1 8347681
-
-// invNQ1R2modQ1 = -NTT_N^{-1} 2^32 2^32 mod^{+-} Q1 below
-#define invNQ1R2modQ1 (-41978)
-// invNQ1R2modQ1_prime = invNQ1R2modQ1 (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1R2modQ1_prime 8395782
-// invNQ1R2modQ1_prime_half = (invNQ1R2modQ1 / 2) (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1R2modQ1_prime_half 4197891
-// invNQ1R2modQ1_doubleprime = (invNQ1R2modQ1_prime Q1 - invNQ1R2modQ1) / 2^32
-#define invNQ1R2modQ1_doubleprime 16382
-
-// invNQ1_final_R2modQ1 = -invNQ1R2modQ1 invomegaQ1^{128} mod q
-#define invNQ1_final_R2modQ1 4404704
-// invNQ1_final_R2modQ1_prime = invNQ1_final_R2modQ1 (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1_final_R2modQ1_prime (-151046688)
-// invNQ1_final_R2modQ1_prime_half = (invNQ1_final_R2modQ1 / 2) (Q1^{-1} mod^{+-} 2^32) mod^{+-} 2^32
-#define invNQ1_final_R2modQ1_prime_half (-75523344)
-// invNQ1_final_R2modQ1_doubleprime = (invNQ1_final_R2modQ1_prime Q1 - invNQ1_final_R2modQ1) / 2^32
-#define invNQ1_final_R2modQ1_doubleprime (-294725)
-
-// RmodQ1_prime = -(RmodQ1 + Q1) Q1prime mod^{+-} 2^32
-#define RmodQ1_prime 512
-// RmodQ1_prime_half = ( -(RmodQ1 + Q1) / 2) Q1prime mod^{+-} 2^32
-#define RmodQ1_prime_half 256
-// RmodQ1_doubleprime = (RmodQ1_prime Q1 - RmodQ1_prime ) / 2^32
-#define RmodQ1_doubleprime 1
-
-#endif
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_top
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_top
-PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_top:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_top:
-
- push_all
- Q .req w20
- src0 .req x0
- src1 .req x1
- src2 .req x2
- src3 .req x3
- src4 .req x4
- src5 .req x5
- src6 .req x6
- src7 .req x7
- src8 .req x8
- src9 .req x9
- src10 .req x10
- src11 .req x11
- src12 .req x12
- src13 .req x13
- src14 .req x14
- src15 .req x15
- table .req x28
- counter .req x19
-
- ldr Q, [x2]
-
- mov table, x1
-
- add src1, src0, #64
- add src2, src0, #128
-
- add src3, src0, #192
- add src4, src0, #256
-
- add src5, src0, #320
- add src6, src0, #384
-
- add src7, src0, #448
- add src8, src0, #512
-
- add src9, src0, #576
- add src10, src0, #640
-
- add src11, src0, #704
- add src12, src0, #768
-
- add src13, src0, #832
- add src14, src0, #896
-
- add src15, src0, #960
-
- ld1 {v20.4S, v21.4S, v22.4S, v23.4S}, [table], #64
- ld1 {v24.4S, v25.4S, v26.4S, v27.4S}, [table], #64
-
- mov v20.S[0], Q
-
- ld1 { v1.4S}, [ src1]
- ld1 { v3.4S}, [ src3]
- ld1 { v5.4S}, [ src5]
- ld1 { v7.4S}, [ src7]
- ld1 { v9.4S}, [ src9]
- ld1 {v11.4S}, [src11]
- ld1 {v13.4S}, [src13]
- ld1 {v15.4S}, [src15]
-
- ld1 { v0.4S}, [ src0]
- ld1 { v2.4S}, [ src2]
- ld1 { v4.4S}, [ src4]
- ld1 { v6.4S}, [ src6]
- ld1 { v8.4S}, [ src8]
- ld1 {v10.4S}, [src10]
- ld1 {v12.4S}, [src12]
- ld1 {v14.4S}, [src14]
-
- qq_butterfly_top v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_bot v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
-
- mov counter, #3
- _ntt_top_loop:
-
- st1 { v1.4S}, [ src1], #16
- ld1 { v1.4S}, [ src1]
- st1 { v3.4S}, [ src3], #16
- ld1 { v3.4S}, [ src3]
- st1 { v5.4S}, [ src5], #16
- ld1 { v5.4S}, [ src5]
- st1 { v7.4S}, [ src7], #16
- ld1 { v7.4S}, [ src7]
- st1 { v9.4S}, [ src9], #16
- ld1 { v9.4S}, [ src9]
- st1 {v11.4S}, [src11], #16
- ld1 {v11.4S}, [src11]
- st1 {v13.4S}, [src13], #16
- ld1 {v13.4S}, [src13]
- st1 {v15.4S}, [src15], #16
- ld1 {v15.4S}, [src15]
-
- st1 { v0.4S}, [ src0], #16
- ld1 { v0.4S}, [ src0]
- st1 { v2.4S}, [ src2], #16
- ld1 { v2.4S}, [ src2]
- st1 { v4.4S}, [ src4], #16
- ld1 { v4.4S}, [ src4]
- st1 { v6.4S}, [ src6], #16
- ld1 { v6.4S}, [ src6]
- st1 { v8.4S}, [ src8], #16
- ld1 { v8.4S}, [ src8]
- st1 {v10.4S}, [src10], #16
- ld1 {v10.4S}, [src10]
- st1 {v12.4S}, [src12], #16
- ld1 {v12.4S}, [src12]
- st1 {v14.4S}, [src14], #16
- ld1 {v14.4S}, [src14]
-
- qq_butterfly_top v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v1, v3, v5, v7, v9, v11, v13, v15, v16, v17, v18, v19, v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v8, v10, v12, v14, v28, v29, v30, v31, v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v1, v3, v9, v11, v5, v7, v13, v15, v16, v17, v18, v19, v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3
- qq_butterfly_mixed v0, v2, v8, v10, v4, v6, v12, v14, v28, v29, v30, v31, v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v20, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v1, v5, v9, v13, v3, v7, v11, v15, v16, v17, v18, v19, v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3
- qq_butterfly_mixed v0, v4, v8, v12, v2, v6, v10, v14, v28, v29, v30, v31, v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v20, v22, 0, 1, v22, 2, 3, v23, 0, 1, v23, 2, 3, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed v0, v2, v4, v6, v1, v3, v5, v7, v16, v17, v18, v19, v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_bot v8, v10, v12, v14, v9, v11, v13, v15, v28, v29, v30, v31, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
-
- sub counter, counter, #1
- cbnz counter, _ntt_top_loop
-
- st1 { v1.4S}, [ src1], #16
- st1 { v3.4S}, [ src3], #16
- st1 { v5.4S}, [ src5], #16
- st1 { v7.4S}, [ src7], #16
- st1 { v9.4S}, [ src9], #16
- st1 {v11.4S}, [src11], #16
- st1 {v13.4S}, [src13], #16
- st1 {v15.4S}, [src15], #16
-
- st1 { v0.4S}, [ src0], #16
- st1 { v2.4S}, [ src2], #16
- st1 { v4.4S}, [ src4], #16
- st1 { v6.4S}, [ src6], #16
- st1 { v8.4S}, [ src8], #16
- st1 {v10.4S}, [src10], #16
- st1 {v12.4S}, [src12], #16
- st1 {v14.4S}, [src14], #16
-
- .unreq Q
- .unreq src0
- .unreq src1
- .unreq src2
- .unreq src3
- .unreq src4
- .unreq src5
- .unreq src6
- .unreq src7
- .unreq src8
- .unreq src9
- .unreq src10
- .unreq src11
- .unreq src12
- .unreq src13
- .unreq src14
- .unreq src15
- .unreq table
- .unreq counter
- pop_all
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_bot
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_bot
-PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_bot:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_bot:
-
- push_all
- Q .req w20
- src0 .req x0
- des0 .req x1
- src1 .req x2
- des1 .req x3
- table0 .req x28
- table1 .req x27
- counter .req x19
-
- ldr Q, [x2]
-
- add table0, x1, #128
- add table1, table0, #1024
-
- add src1, src0, #512
-
- add des0, src0, #0
- add des1, src0, #512
-
- mov counter, #8
- _ntt_bot_loop:
-
- ld1 { v0.4S, v1.4S, v2.4S, v3.4S}, [src0], #64
- ld1 { v16.4S, v17.4S, v18.4S, v19.4S}, [src1], #64
-
- ld1 { v4.4S, v5.4S}, [table0], #32
- ld2 { v6.4S, v7.4S}, [table0], #32
- ld4 { v8.4S, v9.4S, v10.4S, v11.4S}, [table0], #64
- ld1 { v20.4S, v21.4S}, [table1], #32
- ld2 { v22.4S, v23.4S}, [table1], #32
- ld4 { v24.4S, v25.4S, v26.4S, v27.4S}, [table1], #64
-
- mov v4.S[0], Q
-
- dq_butterfly_top v0, v1, v2, v3, v12, v13, v4, v4, 2, 3, v4, 2, 3
- dq_butterfly_mixed v0, v1, v2, v3, v12, v13, v16, v17, v18, v19, v28, v29, v4, v4, 2, 3, v4, 2, 3, v20, 2, 3, v20, 2, 3
- dq_butterfly_mixed v16, v17, v18, v19, v28, v29, v0, v2, v1, v3, v12, v13, v4, v20, 2, 3, v20, 2, 3, v5, 0, 1, v5, 2, 3
- dq_butterfly_mixed v0, v2, v1, v3, v12, v13, v16, v18, v17, v19, v28, v29, v4, v5, 0, 1, v5, 2, 3, v21, 0, 1, v21, 2, 3
- dq_butterfly_bot v16, v18, v17, v19, v28, v29, v4, v21, 0, 1, v21, 2, 3
-
- trn_4x4 v0, v1, v2, v3, v12, v13, v14, v15
- trn_4x4 v16, v17, v18, v19, v28, v29, v30, v31
-
- dq_butterfly_vec_top v0, v1, v2, v3, v12, v13, v4, v6, v7, v6, v7
- dq_butterfly_vec_mixed v0, v1, v2, v3, v12, v13, v16, v17, v18, v19, v28, v29, v4, v6, v7, v6, v7, v22, v23, v22, v23
- dq_butterfly_vec_mixed v16, v17, v18, v19, v28, v29, v0, v2, v1, v3, v12, v13, v4, v22, v23, v22, v23, v8, v9, v10, v11
- dq_butterfly_vec_mixed v0, v2, v1, v3, v12, v13, v16, v18, v17, v19, v28, v29, v4, v8, v9, v10, v11, v24, v25, v26, v27
- dq_butterfly_vec_bot v16, v18, v17, v19, v28, v29, v4, v24, v25, v26, v27
-
- st4 { v0.4S, v1.4S, v2.4S, v3.4S}, [des0], #64
- st4 { v16.4S, v17.4S, v18.4S, v19.4S}, [des1], #64
-
- sub counter, counter, #1
- cbnz counter, _ntt_bot_loop
-
- .unreq Q
- .unreq src0
- .unreq des0
- .unreq src1
- .unreq des1
- .unreq table0
- .unreq table1
- .unreq counter
- pop_all
-
- br lr
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_top
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_top
-PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_top:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_top:
-
- push_all
- Q .req w20
- Qhalf .req w21
- nQhalf .req w22
- invNR2ph .req w24
- invNR2dp .req w25
- invNWR2ph .req w26
- invNWR2dp .req w27
- src0 .req x0
- src1 .req x1
- src2 .req x2
- src3 .req x3
- src4 .req x4
- src5 .req x5
- src6 .req x6
- src7 .req x7
- src8 .req x8
- src9 .req x9
- src10 .req x10
- src11 .req x11
- src12 .req x12
- src13 .req x13
- src14 .req x14
- src15 .req x15
- table .req x28
- counter .req x19
-
- ldr Q, [x2, #0]
- lsr Qhalf, Q, #1
- neg nQhalf, Qhalf
-
- ldr invNR2ph, [x2, #16]
- ldr invNR2dp, [x2, #20]
- ldr invNWR2ph, [x2, #24]
- ldr invNWR2dp, [x2, #28]
-
- mov table, x1
-
- add src1, src0, #64
- add src2, src0, #128
-
- add src3, src0, #192
- add src4, src0, #256
-
- add src5, src0, #320
- add src6, src0, #384
-
- add src7, src0, #448
- add src8, src0, #512
-
- add src9, src0, #576
- add src10, src0, #640
-
- add src11, src0, #704
- add src12, src0, #768
-
- add src13, src0, #832
- add src14, src0, #896
-
- add src15, src0, #960
-
- ld1 {v20.4S, v21.4S, v22.4S, v23.4S}, [table], #64
- ld1 {v24.4S, v25.4S, v26.4S, v27.4S}, [table], #64
-
- mov v20.S[0], Q
-
- ld1 { v0.4S}, [ src0]
- ld1 { v1.4S}, [ src1]
- ld1 { v2.4S}, [ src2]
- ld1 { v3.4S}, [ src3]
- ld1 { v4.4S}, [ src4]
- ld1 { v5.4S}, [ src5]
- ld1 { v6.4S}, [ src6]
- ld1 { v7.4S}, [ src7]
-
- ld1 { v8.4S}, [ src8]
- ld1 { v9.4S}, [ src9]
- ld1 {v10.4S}, [src10]
- ld1 {v11.4S}, [src11]
- ld1 {v12.4S}, [src12]
- ld1 {v13.4S}, [src13]
- ld1 {v14.4S}, [src14]
- ld1 {v15.4S}, [src15]
-
- qq_butterfly_bot v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed_rev v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_mixed_rev v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3
- qq_butterfly_mixed_rev v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v20, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3
- qq_butterfly_mixed_rev v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v20, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1
- qq_butterfly_mixed_rev v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
- qq_butterfly_top v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
-
- mov v20.S[2], invNWR2ph
- mov v20.S[3], invNWR2dp
-
- qq_sub_add v16, v17, v18, v19, v28, v29, v30, v31, v0, v2, v4, v6, v8, v10, v12, v14
- qq_sub_add v0, v2, v4, v6, v8, v10, v12, v14, v1, v3, v5, v7, v9, v11, v13, v15
-
- qq_montgomery_mul v9, v11, v13, v15, v8, v10, v12, v14, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- mov v20.S[2], invNR2ph
- mov v20.S[3], invNR2dp
-
- qq_montgomery_mul v1, v3, v5, v7, v0, v2, v4, v6, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v0, v2, v4, v6, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- dup v29.4S, Q
- dup v30.4S, Qhalf
- dup v31.4S, nQhalf
-
- cmge v18.4S, v31.4S, v0.4S
- cmge v19.4S, v31.4S, v1.4S
- cmge v16.4S, v0.4S, v30.4S
- cmge v17.4S, v1.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v0.4S, v16.4S, v29.4S
- mla v1.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v2.4S
- cmge v19.4S, v31.4S, v3.4S
- cmge v16.4S, v2.4S, v30.4S
- cmge v17.4S, v3.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v2.4S, v16.4S, v29.4S
- mla v3.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v4.4S
- cmge v19.4S, v31.4S, v5.4S
- cmge v16.4S, v4.4S, v30.4S
- cmge v17.4S, v5.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v4.4S, v16.4S, v29.4S
- mla v5.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v6.4S
- cmge v19.4S, v31.4S, v7.4S
- cmge v16.4S, v6.4S, v30.4S
- cmge v17.4S, v7.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v6.4S, v16.4S, v29.4S
- mla v7.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v8.4S
- cmge v19.4S, v31.4S, v9.4S
- cmge v16.4S, v8.4S, v30.4S
- cmge v17.4S, v9.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v8.4S, v16.4S, v29.4S
- mla v9.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v10.4S
- cmge v19.4S, v31.4S, v11.4S
- cmge v16.4S, v10.4S, v30.4S
- cmge v17.4S, v11.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v10.4S, v16.4S, v29.4S
- mla v11.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v12.4S
- cmge v19.4S, v31.4S, v13.4S
- cmge v16.4S, v12.4S, v30.4S
- cmge v17.4S, v13.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v12.4S, v16.4S, v29.4S
- mla v13.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v14.4S
- cmge v19.4S, v31.4S, v15.4S
- cmge v16.4S, v14.4S, v30.4S
- cmge v17.4S, v15.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v14.4S, v16.4S, v29.4S
- mla v15.4S, v17.4S, v29.4S
-
- mov counter, #3
- _intt_top_loop:
-
- st1 { v0.4S}, [ src0], #16
- ld1 { v0.4S}, [ src0]
- st1 { v1.4S}, [ src1], #16
- ld1 { v1.4S}, [ src1]
- st1 { v2.4S}, [ src2], #16
- ld1 { v2.4S}, [ src2]
- st1 { v3.4S}, [ src3], #16
- ld1 { v3.4S}, [ src3]
- st1 { v4.4S}, [ src4], #16
- ld1 { v4.4S}, [ src4]
- st1 { v5.4S}, [ src5], #16
- ld1 { v5.4S}, [ src5]
- st1 { v6.4S}, [ src6], #16
- ld1 { v6.4S}, [ src6]
- st1 { v7.4S}, [ src7], #16
- ld1 { v7.4S}, [ src7]
-
- st1 { v8.4S}, [ src8], #16
- ld1 { v8.4S}, [ src8]
- st1 { v9.4S}, [ src9], #16
- ld1 { v9.4S}, [ src9]
- st1 {v10.4S}, [src10], #16
- ld1 {v10.4S}, [src10]
- st1 {v11.4S}, [src11], #16
- ld1 {v11.4S}, [src11]
- st1 {v12.4S}, [src12], #16
- ld1 {v12.4S}, [src12]
- st1 {v13.4S}, [src13], #16
- ld1 {v13.4S}, [src13]
- st1 {v14.4S}, [src14], #16
- ld1 {v14.4S}, [src14]
- st1 {v15.4S}, [src15], #16
- ld1 {v15.4S}, [src15]
-
- qq_butterfly_bot v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3
- qq_butterfly_mixed_rev v0, v2, v4, v6, v16, v17, v18, v19, v1, v3, v5, v7, v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v20, v24, 0, 1, v24, 2, 3, v25, 0, 1, v25, 2, 3, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3
- qq_butterfly_mixed_rev v8, v10, v12, v14, v28, v29, v30, v31, v9, v11, v13, v15, v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v20, v26, 0, 1, v26, 2, 3, v27, 0, 1, v27, 2, 3, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3
- qq_butterfly_mixed_rev v0, v1, v4, v5, v16, v17, v18, v19, v2, v3, v6, v7, v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v20, v22, 0, 1, v22, 0, 1, v22, 2, 3, v22, 2, 3, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3
- qq_butterfly_mixed_rev v8, v9, v12, v13, v28, v29, v30, v31, v10, v11, v14, v15, v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v20, v23, 0, 1, v23, 0, 1, v23, 2, 3, v23, 2, 3, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1
- qq_butterfly_mixed_rev v0, v1, v2, v3, v16, v17, v18, v19, v4, v5, v6, v7, v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 0, 1, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
- qq_butterfly_top v8, v9, v10, v11, v28, v29, v30, v31, v12, v13, v14, v15, v20, v21, 2, 3, v21, 2, 3, v21, 2, 3, v21, 2, 3
-
- mov v20.S[2], invNWR2ph
- mov v20.S[3], invNWR2dp
-
- qq_sub_add v16, v17, v18, v19, v28, v29, v30, v31, v0, v2, v4, v6, v8, v10, v12, v14
- qq_sub_add v0, v2, v4, v6, v8, v10, v12, v14, v1, v3, v5, v7, v9, v11, v13, v15
-
- qq_montgomery_mul v9, v11, v13, v15, v8, v10, v12, v14, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v8, v10, v12, v14, v28, v29, v30, v31, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- mov v20.S[2], invNR2ph
- mov v20.S[3], invNR2dp
-
- qq_montgomery_mul v1, v3, v5, v7, v0, v2, v4, v6, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
- qq_montgomery_mul v0, v2, v4, v6, v16, v17, v18, v19, v20, v20, 2, 3, v20, 2, 3, v20, 2, 3, v20, 2, 3
-
- dup v29.4S, Q
- dup v30.4S, Qhalf
- dup v31.4S, nQhalf
-
- cmge v18.4S, v31.4S, v0.4S
- cmge v19.4S, v31.4S, v1.4S
- cmge v16.4S, v0.4S, v30.4S
- cmge v17.4S, v1.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v0.4S, v16.4S, v29.4S
- mla v1.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v2.4S
- cmge v19.4S, v31.4S, v3.4S
- cmge v16.4S, v2.4S, v30.4S
- cmge v17.4S, v3.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v2.4S, v16.4S, v29.4S
- mla v3.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v4.4S
- cmge v19.4S, v31.4S, v5.4S
- cmge v16.4S, v4.4S, v30.4S
- cmge v17.4S, v5.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v4.4S, v16.4S, v29.4S
- mla v5.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v6.4S
- cmge v19.4S, v31.4S, v7.4S
- cmge v16.4S, v6.4S, v30.4S
- cmge v17.4S, v7.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v6.4S, v16.4S, v29.4S
- mla v7.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v8.4S
- cmge v19.4S, v31.4S, v9.4S
- cmge v16.4S, v8.4S, v30.4S
- cmge v17.4S, v9.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v8.4S, v16.4S, v29.4S
- mla v9.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v10.4S
- cmge v19.4S, v31.4S, v11.4S
- cmge v16.4S, v10.4S, v30.4S
- cmge v17.4S, v11.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v10.4S, v16.4S, v29.4S
- mla v11.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v12.4S
- cmge v19.4S, v31.4S, v13.4S
- cmge v16.4S, v12.4S, v30.4S
- cmge v17.4S, v13.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v12.4S, v16.4S, v29.4S
- mla v13.4S, v17.4S, v29.4S
-
- cmge v18.4S, v31.4S, v14.4S
- cmge v19.4S, v31.4S, v15.4S
- cmge v16.4S, v14.4S, v30.4S
- cmge v17.4S, v15.4S, v30.4S
-
- sub v16.4S, v16.4S, v18.4S
- sub v17.4S, v17.4S, v19.4S
-
- mla v14.4S, v16.4S, v29.4S
- mla v15.4S, v17.4S, v29.4S
-
- sub counter, counter, #1
- cbnz counter, _intt_top_loop
-
- st1 { v0.4S}, [ src0], #16
- st1 { v1.4S}, [ src1], #16
- st1 { v2.4S}, [ src2], #16
- st1 { v3.4S}, [ src3], #16
- st1 { v4.4S}, [ src4], #16
- st1 { v5.4S}, [ src5], #16
- st1 { v6.4S}, [ src6], #16
- st1 { v7.4S}, [ src7], #16
-
- st1 { v8.4S}, [ src8], #16
- st1 { v9.4S}, [ src9], #16
- st1 {v10.4S}, [src10], #16
- st1 {v11.4S}, [src11], #16
- st1 {v12.4S}, [src12], #16
- st1 {v13.4S}, [src13], #16
- st1 {v14.4S}, [src14], #16
- st1 {v15.4S}, [src15], #16
-
- .unreq Q
- .unreq Qhalf
- .unreq nQhalf
- .unreq invNR2ph
- .unreq invNR2dp
- .unreq invNWR2ph
- .unreq invNWR2dp
- .unreq src0
- .unreq src1
- .unreq src2
- .unreq src3
- .unreq src4
- .unreq src5
- .unreq src6
- .unreq src7
- .unreq src8
- .unreq src9
- .unreq src10
- .unreq src11
- .unreq src12
- .unreq src13
- .unreq src14
- .unreq src15
- .unreq table
- .unreq counter
- pop_all
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_bot
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_bot
-PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_bot:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_bot:
-
- push_all
- Q .req w20
- RphRdp .req x21
- src0 .req x0
- des0 .req x1
- src1 .req x2
- des1 .req x3
- table0 .req x28
- table1 .req x27
- counter .req x19
-
- ldr Q, [x2]
- ldr RphRdp, [x2, #8]
-
- add table0, x1, #128
- add table1, table0, #1024
-
- add src1, src0, #512
-
- add des0, src0, #0
- add des1, src0, #512
-
- mov counter, #8
- _intt_bot_loop:
-
- ld4 { v0.4S, v1.4S, v2.4S, v3.4S}, [src0], #64
- ld4 { v16.4S, v17.4S, v18.4S, v19.4S}, [src1], #64
-
- ld1 { v4.4S, v5.4S}, [table0], #32
- ld2 { v6.4S, v7.4S}, [table0], #32
- ld4 { v8.4S, v9.4S, v10.4S, v11.4S}, [table0], #64
- ld1 { v20.4S, v21.4S}, [table1], #32
- ld2 { v22.4S, v23.4S}, [table1], #32
- ld4 { v24.4S, v25.4S, v26.4S, v27.4S}, [table1], #64
-
- mov v4.S[0], Q
- mov v20.D[0], RphRdp
-
- dq_butterfly_vec_bot v0, v2, v12, v13, v1, v3, v4, v8, v9, v10, v11
- dq_butterfly_vec_mixed_rev v0, v2, v12, v13, v1, v3, v16, v18, v28, v29, v17, v19, v4, v8, v9, v10, v11, v24, v25, v26, v27
- dq_butterfly_vec_mixed_rev v16, v18, v28, v29, v17, v19, v0, v1, v12, v13, v2, v3, v4, v24, v25, v26, v27, v6, v7, v6, v7
- dq_butterfly_vec_mixed_rev v0, v1, v12, v13, v2, v3, v16, v17, v28, v29, v18, v19, v4, v6, v7, v6, v7, v22, v23, v22, v23
- dq_butterfly_vec_top v16, v17, v28, v29, v18, v19, v4, v22, v23, v22, v23
-
- trn_4x4 v0, v1, v2, v3, v12, v13, v14, v15
- trn_4x4 v16, v17, v18, v19, v28, v29, v30, v31
-
- dq_butterfly_bot v0, v2, v12, v13, v1, v3, v4, v5, 0, 1, v5, 2, 3
- dq_butterfly_mixed_rev v0, v2, v12, v13, v1, v3, v16, v18, v28, v29, v17, v19, v4, v5, 0, 1, v5, 2, 3, v21, 0, 1, v21, 2, 3
- dq_butterfly_mixed_rev v16, v18, v28, v29, v17, v19, v0, v1, v12, v13, v2, v3, v4, v21, 0, 1, v21, 2, 3, v4, 2, 3, v4, 2, 3
- dq_butterfly_mixed_rev v0, v1, v12, v13, v2, v3, v16, v17, v28, v29, v18, v19, v4, v4, 2, 3, v4, 2, 3, v20, 2, 3, v20, 2, 3
- dq_butterfly_top v16, v17, v28, v29, v18, v19, v4, v20, 2, 3, v20, 2, 3
-
- srshr v14.4S, v0.4S, #23
- srshr v15.4S, v1.4S, #23
- srshr v30.4S, v16.4S, #23
- srshr v31.4S, v17.4S, #23
-
- mls v0.4S, v14.4S, v4.S[0]
- mls v1.4S, v15.4S, v4.S[0]
- mls v16.4S, v30.4S, v4.S[0]
- mls v17.4S, v31.4S, v4.S[0]
-
- st1 { v0.4S, v1.4S, v2.4S, v3.4S}, [des0], #64
- st1 { v16.4S, v17.4S, v18.4S, v19.4S}, [des1], #64
-
- sub counter, counter, #1
- cbnz counter, _intt_bot_loop
-
- .unreq Q
- .unreq RphRdp
- .unreq src0
- .unreq des0
- .unreq src1
- .unreq des1
- .unreq table0
- .unreq table1
- .unreq counter
- pop_all
-
- br lr
-
-
-
-
-
-
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros.inc"
-#include "params.h"
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_10_to_32
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_10_to_32
-PQCLEAN_DILITHIUM5_AARCH64__asm_10_to_32:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_10_to_32:
-
- mov x7, #16
- _10_to_32_loop:
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #10
- str w3, [x0], #4
- ubfx w4, w2, #10, #10
- str w4, [x0], #4
- ubfx w5, w2, #20, #10
- str w5, [x0], #4
- lsr w6, w2, #30
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #8
- lsl w3, w3, #2
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #8, #10
- str w4, [x0], #4
- ubfx w5, w2, #18, #10
- str w5, [x0], #4
- lsr w6, w2, #28
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #6
- lsl w3, w3, #4
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #6, #10
- str w4, [x0], #4
- ubfx w5, w2, #16, #10
- str w5, [x0], #4
- lsr w6, w2, #26
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #4
- lsl w3, w3, #6
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #4, #10
- str w4, [x0], #4
- ubfx w5, w2, #14, #10
- str w5, [x0], #4
- lsr w6, w2, #24
-
- ldr w2, [x1], #4
-
- ubfx w3, w2, #0, #2
- lsl w3, w3, #8
- orr w3, w3, w6
- str w3, [x0], #4
- ubfx w4, w2, #2, #10
- str w4, [x0], #4
- ubfx w5, w2, #12, #10
- str w5, [x0], #4
- ubfx w6, w2, #22, #10
- str w6, [x0], #4
-
- sub x7, x7, #1
- cbnz x7, _10_to_32_loop
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_reduce
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_reduce
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_reduce:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_reduce:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #7
- _poly_reduce_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_reduce_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_caddq
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_caddq
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_caddq:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_caddq:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- sshr v16.4S, v0.4S, #31
- ld1 { v5.4S}, [x1], #16
- sshr v17.4S, v1.4S, #31
- ld1 { v6.4S}, [x1], #16
- sshr v18.4S, v2.4S, #31
- ld1 { v7.4S}, [x1], #16
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #7
- _poly_caddq_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- sshr v16.4S, v0.4S, #31
- ld1 { v5.4S}, [x1], #16
- sshr v17.4S, v1.4S, #31
- ld1 { v6.4S}, [x1], #16
- sshr v18.4S, v2.4S, #31
- ld1 { v7.4S}, [x1], #16
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_caddq_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_freeze
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_freeze
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_freeze:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_freeze:
-
- ldr w4, [x1]
-
- dup v24.4S, w4
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- sshr v16.4S, v0.4S, #31
- mls v5.4S, v21.4S, v24.4S
- sshr v17.4S, v1.4S, #31
- mls v6.4S, v22.4S, v24.4S
- sshr v18.4S, v2.4S, #31
- mls v7.4S, v23.4S, v24.4S
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- mov x16, #8
- _poly_freeze_loop:
-
- st1 { v4.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 { v5.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 { v6.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 { v7.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x1], #16
- srshr v16.4S, v0.4S, #23
- ld1 { v5.4S}, [x1], #16
- srshr v17.4S, v1.4S, #23
- ld1 { v6.4S}, [x1], #16
- srshr v18.4S, v2.4S, #23
- ld1 { v7.4S}, [x1], #16
- srshr v19.4S, v3.4S, #23
-
- srshr v20.4S, v4.4S, #23
- mls v0.4S, v16.4S, v24.4S
- srshr v21.4S, v5.4S, #23
- mls v1.4S, v17.4S, v24.4S
- srshr v22.4S, v6.4S, #23
- mls v2.4S, v18.4S, v24.4S
- srshr v23.4S, v7.4S, #23
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- sshr v16.4S, v0.4S, #31
- mls v5.4S, v21.4S, v24.4S
- sshr v17.4S, v1.4S, #31
- mls v6.4S, v22.4S, v24.4S
- sshr v18.4S, v2.4S, #31
- mls v7.4S, v23.4S, v24.4S
- sshr v19.4S, v3.4S, #31
-
- sshr v20.4S, v4.4S, #31
- mls v0.4S, v16.4S, v24.4S
- sshr v21.4S, v5.4S, #31
- mls v1.4S, v17.4S, v24.4S
- sshr v22.4S, v6.4S, #31
- mls v2.4S, v18.4S, v24.4S
- sshr v23.4S, v7.4S, #31
- mls v3.4S, v19.4S, v24.4S
-
- mls v4.4S, v20.4S, v24.4S
- st1 { v0.4S}, [x0], #16
- mls v5.4S, v21.4S, v24.4S
- st1 { v1.4S}, [x0], #16
- mls v6.4S, v22.4S, v24.4S
- st1 { v2.4S}, [x0], #16
- mls v7.4S, v23.4S, v24.4S
- st1 { v3.4S}, [x0], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_freeze_loop
-
- st1 { v4.4S}, [x0], #16
- st1 { v5.4S}, [x0], #16
- st1 { v6.4S}, [x0], #16
- st1 { v7.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_power2round
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_power2round
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_power2round:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_power2round:
-
- mov w4, #1
-
- dup v28.4S, w4
-
- ld1 { v0.4S}, [x2], #16
- ld1 { v1.4S}, [x2], #16
- ld1 { v2.4S}, [x2], #16
- ld1 { v3.4S}, [x2], #16
-
- ld1 {v20.4S}, [x2], #16
- sub v4.4S, v0.4S, v28.4S
- ld1 {v21.4S}, [x2], #16
- sub v5.4S, v1.4S, v28.4S
- ld1 {v22.4S}, [x2], #16
- sub v6.4S, v2.4S, v28.4S
- ld1 {v23.4S}, [x2], #16
- sub v7.4S, v3.4S, v28.4S
-
- sub v24.4S, v20.4S, v28.4S
- srshr v16.4S, v4.4S, #13
- sub v25.4S, v21.4S, v28.4S
- srshr v17.4S, v5.4S, #13
- sub v26.4S, v22.4S, v28.4S
- srshr v18.4S, v6.4S, #13
- sub v27.4S, v23.4S, v28.4S
- srshr v19.4S, v7.4S, #13
-
- srshr v28.4S, v24.4S, #13
- st1 {v16.4S}, [x0], #16
- srshr v29.4S, v25.4S, #13
- st1 {v17.4S}, [x0], #16
- srshr v30.4S, v26.4S, #13
- st1 {v18.4S}, [x0], #16
- srshr v31.4S, v27.4S, #13
- st1 {v19.4S}, [x0], #16
-
- st1 {v28.4S}, [x0], #16
- shl v4.4S, v16.4S, #13
- st1 {v29.4S}, [x0], #16
- shl v5.4S, v17.4S, #13
- st1 {v30.4S}, [x0], #16
- shl v6.4S, v18.4S, #13
- st1 {v31.4S}, [x0], #16
- shl v7.4S, v19.4S, #13
-
- shl v24.4S, v28.4S, #13
- sub v16.4S, v0.4S, v4.4S
- shl v25.4S, v29.4S, #13
- sub v17.4S, v1.4S, v5.4S
- shl v26.4S, v30.4S, #13
- sub v18.4S, v2.4S, v6.4S
- shl v27.4S, v31.4S, #13
- sub v19.4S, v3.4S, v7.4S
-
- sub v28.4S, v20.4S, v24.4S
- st1 {v16.4S}, [x1], #16
- sub v29.4S, v21.4S, v25.4S
- st1 {v17.4S}, [x1], #16
- sub v30.4S, v22.4S, v26.4S
- st1 {v18.4S}, [x1], #16
- sub v31.4S, v23.4S, v27.4S
- st1 {v19.4S}, [x1], #16
-
- mov x16, #7
- _poly_power2round_loop:
-
- st1 {v28.4S}, [x1], #16
- dup v28.4S, w4
- ld1 { v0.4S}, [x2], #16
- st1 {v29.4S}, [x1], #16
- ld1 { v1.4S}, [x2], #16
- st1 {v30.4S}, [x1], #16
- ld1 { v2.4S}, [x2], #16
- st1 {v31.4S}, [x1], #16
- ld1 { v3.4S}, [x2], #16
-
- ld1 {v20.4S}, [x2], #16
- sub v4.4S, v0.4S, v28.4S
- ld1 {v21.4S}, [x2], #16
- sub v5.4S, v1.4S, v28.4S
- ld1 {v22.4S}, [x2], #16
- sub v6.4S, v2.4S, v28.4S
- ld1 {v23.4S}, [x2], #16
- sub v7.4S, v3.4S, v28.4S
-
- sub v24.4S, v20.4S, v28.4S
- srshr v16.4S, v4.4S, #13
- sub v25.4S, v21.4S, v28.4S
- srshr v17.4S, v5.4S, #13
- sub v26.4S, v22.4S, v28.4S
- srshr v18.4S, v6.4S, #13
- sub v27.4S, v23.4S, v28.4S
- srshr v19.4S, v7.4S, #13
-
- srshr v28.4S, v24.4S, #13
- st1 {v16.4S}, [x0], #16
- srshr v29.4S, v25.4S, #13
- st1 {v17.4S}, [x0], #16
- srshr v30.4S, v26.4S, #13
- st1 {v18.4S}, [x0], #16
- srshr v31.4S, v27.4S, #13
- st1 {v19.4S}, [x0], #16
-
- st1 {v28.4S}, [x0], #16
- shl v4.4S, v16.4S, #13
- st1 {v29.4S}, [x0], #16
- shl v5.4S, v17.4S, #13
- st1 {v30.4S}, [x0], #16
- shl v6.4S, v18.4S, #13
- st1 {v31.4S}, [x0], #16
- shl v7.4S, v19.4S, #13
-
- shl v24.4S, v28.4S, #13
- sub v16.4S, v0.4S, v4.4S
- shl v25.4S, v29.4S, #13
- sub v17.4S, v1.4S, v5.4S
- shl v26.4S, v30.4S, #13
- sub v18.4S, v2.4S, v6.4S
- shl v27.4S, v31.4S, #13
- sub v19.4S, v3.4S, v7.4S
-
- sub v28.4S, v20.4S, v24.4S
- st1 {v16.4S}, [x1], #16
- sub v29.4S, v21.4S, v25.4S
- st1 {v17.4S}, [x1], #16
- sub v30.4S, v22.4S, v26.4S
- st1 {v18.4S}, [x1], #16
- sub v31.4S, v23.4S, v27.4S
- st1 {v19.4S}, [x1], #16
-
- sub x16, x16, #1
- cbnz x16, _poly_power2round_loop
-
- st1 {v28.4S}, [x1], #16
- st1 {v29.4S}, [x1], #16
- st1 {v30.4S}, [x1], #16
- st1 {v31.4S}, [x1], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_add
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_add
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_add:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_add:
-
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- add v16.4S, v0.4S, v4.4S
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- add v17.4S, v1.4S, v5.4S
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- add v18.4S, v2.4S, v6.4S
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- add v19.4S, v3.4S, v7.4S
-
- mov x16, #15
- _poly_add_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- add v16.4S, v0.4S, v4.4S
- st1 {v17.4S}, [x0], #16
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- add v17.4S, v1.4S, v5.4S
- st1 {v18.4S}, [x0], #16
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- add v18.4S, v2.4S, v6.4S
- st1 {v19.4S}, [x0], #16
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- add v19.4S, v3.4S, v7.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_add_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_sub
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_sub
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_sub:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_sub:
-
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- sub v16.4S, v0.4S, v4.4S
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- sub v17.4S, v1.4S, v5.4S
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- sub v18.4S, v2.4S, v6.4S
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- sub v19.4S, v3.4S, v7.4S
-
- mov x16, #15
- _poly_sub_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 {v0.4S}, [x1], #16
- ld1 {v4.4S}, [x2], #16
- sub v16.4S, v0.4S, v4.4S
- st1 {v17.4S}, [x0], #16
- ld1 {v1.4S}, [x1], #16
- ld1 {v5.4S}, [x2], #16
- sub v17.4S, v1.4S, v5.4S
- st1 {v18.4S}, [x0], #16
- ld1 {v2.4S}, [x1], #16
- ld1 {v6.4S}, [x2], #16
- sub v18.4S, v2.4S, v6.4S
- st1 {v19.4S}, [x0], #16
- ld1 {v3.4S}, [x1], #16
- ld1 {v7.4S}, [x2], #16
- sub v19.4S, v3.4S, v7.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_sub_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_shiftl
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_shiftl
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_shiftl:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_shiftl:
-
- add x1, x0, #0
-
- ld1 { v0.4S}, [x1], #16
- shl v16.4S, v0.4S, #13
- ld1 { v1.4S}, [x1], #16
- shl v17.4S, v1.4S, #13
- ld1 { v2.4S}, [x1], #16
- shl v18.4S, v2.4S, #13
- ld1 { v3.4S}, [x1], #16
- shl v19.4S, v3.4S, #13
- ld1 { v4.4S}, [x1], #16
- shl v20.4S, v4.4S, #13
- ld1 { v5.4S}, [x1], #16
- shl v21.4S, v5.4S, #13
- ld1 { v6.4S}, [x1], #16
- shl v22.4S, v6.4S, #13
- ld1 { v7.4S}, [x1], #16
- shl v23.4S, v7.4S, #13
-
- mov x16, #7
- _poly_shiftl_loop:
-
- st1 {v16.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- shl v16.4S, v0.4S, #13
- st1 {v17.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- shl v17.4S, v1.4S, #13
- st1 {v18.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- shl v18.4S, v2.4S, #13
- st1 {v19.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
- shl v19.4S, v3.4S, #13
- st1 {v20.4S}, [x0], #16
- ld1 { v4.4S}, [x1], #16
- shl v20.4S, v4.4S, #13
- st1 {v21.4S}, [x0], #16
- ld1 { v5.4S}, [x1], #16
- shl v21.4S, v5.4S, #13
- st1 {v22.4S}, [x0], #16
- ld1 { v6.4S}, [x1], #16
- shl v22.4S, v6.4S, #13
- st1 {v23.4S}, [x0], #16
- ld1 { v7.4S}, [x1], #16
- shl v23.4S, v7.4S, #13
-
- sub x16, x16, #1
- cbnz x16, _poly_shiftl_loop
-
- st1 {v16.4S}, [x0], #16
- st1 {v17.4S}, [x0], #16
- st1 {v18.4S}, [x0], #16
- st1 {v19.4S}, [x0], #16
- st1 {v20.4S}, [x0], #16
- st1 {v21.4S}, [x0], #16
- st1 {v22.4S}, [x0], #16
- st1 {v23.4S}, [x0], #16
-
- br lr
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_poly_pointwise_montgomery
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_poly_pointwise_montgomery
-PQCLEAN_DILITHIUM5_AARCH64__asm_poly_pointwise_montgomery:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_poly_pointwise_montgomery:
-
- push_all
-
- ldr w20, [x3, #0]
- ldr w21, [x3, #4]
-
- dup v30.4S, w20
- dup v31.4S, w21
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- mov x16, #15
- _poly_pointwise_montgomery_loop:
-
- st1 {v24.4S}, [x0], #16
- ld1 { v0.4S}, [x1], #16
- st1 {v25.4S}, [x0], #16
- ld1 { v1.4S}, [x1], #16
- st1 {v26.4S}, [x0], #16
- ld1 { v2.4S}, [x1], #16
- st1 {v27.4S}, [x0], #16
- ld1 { v3.4S}, [x1], #16
-
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- sub x16, x16, #1
- cbnz x16, _poly_pointwise_montgomery_loop
-
- st1 {v24.4S}, [x0], #16
- st1 {v25.4S}, [x0], #16
- st1 {v26.4S}, [x0], #16
- st1 {v27.4S}, [x0], #16
-
- pop_all
-
- br lr
-
-
-.align 2
-.global PQCLEAN_DILITHIUM5_AARCH64__asm_polyvecl_pointwise_acc_montgomery
-.global _PQCLEAN_DILITHIUM5_AARCH64__asm_polyvecl_pointwise_acc_montgomery
-PQCLEAN_DILITHIUM5_AARCH64__asm_polyvecl_pointwise_acc_montgomery:
-_PQCLEAN_DILITHIUM5_AARCH64__asm_polyvecl_pointwise_acc_montgomery:
-
- push_all
-
- ldr w20, [x3, #0]
- ldr w21, [x3, #4]
-
- add x5, x1, #1024*1
- add x6, x2, #1024*1
-
- add x7, x1, #1024*2
- add x8, x2, #1024*2
-
- add x9, x1, #1024*3
- add x10, x2, #1024*3
-
-#if L > 4
- add x11, x1, #1024*4
- add x12, x2, #1024*4
-#endif
-
-#if L > 5
- add x13, x11, #1024*1
- add x14, x12, #1024*1
-
- add x15, x11, #1024*2
- add x19, x12, #1024*2
-#endif
-
- dup v30.4S, w20
- dup v31.4S, w21
-
- ld1 { v0.4S}, [x1], #16
- ld1 { v1.4S}, [x1], #16
- ld1 { v2.4S}, [x1], #16
- ld1 { v3.4S}, [x1], #16
- ld1 { v4.4S}, [x2], #16
- ld1 { v5.4S}, [x2], #16
- ld1 { v6.4S}, [x2], #16
- ld1 { v7.4S}, [x2], #16
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x5], #16
- ld1 { v4.4S}, [ x6], #16
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x5], #16
- ld1 { v5.4S}, [ x6], #16
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x5], #16
- ld1 { v6.4S}, [ x6], #16
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x5], #16
- ld1 { v7.4S}, [ x6], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x7], #16
- ld1 { v4.4S}, [ x8], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x7], #16
- ld1 { v5.4S}, [ x8], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x7], #16
- ld1 { v6.4S}, [ x8], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x7], #16
- ld1 { v7.4S}, [ x8], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x9], #16
- ld1 { v4.4S}, [x10], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x9], #16
- ld1 { v5.4S}, [x10], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x9], #16
- ld1 { v6.4S}, [x10], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x9], #16
- ld1 { v7.4S}, [x10], #16
-
-#if L > 4
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x11], #16
- ld1 { v4.4S}, [x12], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x11], #16
- ld1 { v5.4S}, [x12], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x11], #16
- ld1 { v6.4S}, [x12], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x11], #16
- ld1 { v7.4S}, [x12], #16
-#endif
-
-#if L > 5
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x13], #16
- ld1 { v4.4S}, [x14], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x13], #16
- ld1 { v5.4S}, [x14], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x13], #16
- ld1 { v6.4S}, [x14], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x13], #16
- ld1 { v7.4S}, [x14], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x15], #16
- ld1 { v4.4S}, [x19], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x15], #16
- ld1 { v5.4S}, [x19], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x15], #16
- ld1 { v6.4S}, [x19], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x15], #16
- ld1 { v7.4S}, [x19], #16
-#endif
-
- mov x16, #15
- _polyvecl_pointwise_acc_montgomery_loop:
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- ld1 { v0.4S}, [x1], #16
- uzp1 v21.4S, v13.4S, v17.4S
- ld1 { v1.4S}, [x1], #16
- uzp1 v22.4S, v14.4S, v18.4S
- ld1 { v2.4S}, [x1], #16
- uzp1 v23.4S, v15.4S, v19.4S
- ld1 { v3.4S}, [x1], #16
-
- mul v24.4S, v20.4S, v31.4S
- ld1 { v4.4S}, [x2], #16
- mul v25.4S, v21.4S, v31.4S
- ld1 { v5.4S}, [x2], #16
- mul v26.4S, v22.4S, v31.4S
- ld1 { v6.4S}, [x2], #16
- mul v27.4S, v23.4S, v31.4S
- ld1 { v7.4S}, [x2], #16
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- smull v12.2D, v0.2S, v4.2S
- smull2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x5], #16
- st1 {v24.4S}, [x0], #16
- ld1 { v4.4S}, [ x6], #16
- smull v13.2D, v1.2S, v5.2S
- smull2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x5], #16
- st1 {v25.4S}, [x0], #16
- ld1 { v5.4S}, [ x6], #16
- smull v14.2D, v2.2S, v6.2S
- smull2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x5], #16
- st1 {v26.4S}, [x0], #16
- ld1 { v6.4S}, [ x6], #16
- smull v15.2D, v3.2S, v7.2S
- smull2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x5], #16
- st1 {v27.4S}, [x0], #16
- ld1 { v7.4S}, [ x6], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x7], #16
- ld1 { v4.4S}, [ x8], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x7], #16
- ld1 { v5.4S}, [ x8], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x7], #16
- ld1 { v6.4S}, [ x8], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x7], #16
- ld1 { v7.4S}, [ x8], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [ x9], #16
- ld1 { v4.4S}, [x10], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [ x9], #16
- ld1 { v5.4S}, [x10], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [ x9], #16
- ld1 { v6.4S}, [x10], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [ x9], #16
- ld1 { v7.4S}, [x10], #16
-
-#if L > 4
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x11], #16
- ld1 { v4.4S}, [x12], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x11], #16
- ld1 { v5.4S}, [x12], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x11], #16
- ld1 { v6.4S}, [x12], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x11], #16
- ld1 { v7.4S}, [x12], #16
-#endif
-
-#if L > 5
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x13], #16
- ld1 { v4.4S}, [x14], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x13], #16
- ld1 { v5.4S}, [x14], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x13], #16
- ld1 { v6.4S}, [x14], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x13], #16
- ld1 { v7.4S}, [x14], #16
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- ld1 { v0.4S}, [x15], #16
- ld1 { v4.4S}, [x19], #16
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- ld1 { v1.4S}, [x15], #16
- ld1 { v5.4S}, [x19], #16
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- ld1 { v2.4S}, [x15], #16
- ld1 { v6.4S}, [x19], #16
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
- ld1 { v3.4S}, [x15], #16
- ld1 { v7.4S}, [x19], #16
-#endif
-
- sub x16, x16, #1
- cbnz x16, _polyvecl_pointwise_acc_montgomery_loop
-
- smlal v12.2D, v0.2S, v4.2S
- smlal2 v16.2D, v0.4S, v4.4S
- smlal v13.2D, v1.2S, v5.2S
- smlal2 v17.2D, v1.4S, v5.4S
- smlal v14.2D, v2.2S, v6.2S
- smlal2 v18.2D, v2.4S, v6.4S
- smlal v15.2D, v3.2S, v7.2S
- smlal2 v19.2D, v3.4S, v7.4S
-
- uzp1 v20.4S, v12.4S, v16.4S
- uzp1 v21.4S, v13.4S, v17.4S
- uzp1 v22.4S, v14.4S, v18.4S
- uzp1 v23.4S, v15.4S, v19.4S
-
- mul v24.4S, v20.4S, v31.4S
- mul v25.4S, v21.4S, v31.4S
- mul v26.4S, v22.4S, v31.4S
- mul v27.4S, v23.4S, v31.4S
-
- smlsl v12.2D, v24.2S, v30.2S
- smlsl2 v16.2D, v24.4S, v30.4S
- smlsl v13.2D, v25.2S, v30.2S
- smlsl2 v17.2D, v25.4S, v30.4S
- smlsl v14.2D, v26.2S, v30.2S
- smlsl2 v18.2D, v26.4S, v30.4S
- smlsl v15.2D, v27.2S, v30.2S
- smlsl2 v19.2D, v27.4S, v30.4S
-
- uzp2 v24.4S, v12.4S, v16.4S
- uzp2 v25.4S, v13.4S, v17.4S
- uzp2 v26.4S, v14.4S, v18.4S
- uzp2 v27.4S, v15.4S, v19.4S
-
- st1 {v24.4S}, [x0], #16
- st1 {v25.4S}, [x0], #16
- st1 {v26.4S}, [x0], #16
- st1 {v27.4S}, [x0], #16
-
- pop_all
-
- br lr
-
-
-
-
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PQCLEAN_DILITHIUM5_AARCH64_API_H
-#define PQCLEAN_DILITHIUM5_AARCH64_API_H
-
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define PQCLEAN_DILITHIUM5_AARCH64_CRYPTO_PUBLICKEYBYTES 2592
-#define PQCLEAN_DILITHIUM5_AARCH64_CRYPTO_SECRETKEYBYTES 4864
-#define PQCLEAN_DILITHIUM5_AARCH64_CRYPTO_BYTES 4595
-#define PQCLEAN_DILITHIUM5_AARCH64_CRYPTO_ALGNAME "Dilithium5"
-
-
-int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_signature(
- uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_verify(
- const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign(
- uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen, const uint8_t *sk);
-
-int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_open(
- uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen, const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-
-/*
-MIT License
-
-Copyright (c) 2020 Bas Westerbaan
-Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
-*/
-
-#if (__APPLE__ && __ARM_FEATURE_CRYPTO) || (__ARM_FEATURE_SHA3)
-
-.macro round
- ; Execute theta, but without xoring into the state yet.
- ; Compute parities p[i] = a[i] ^ a[5+i] ^ ... ^ a[20+i].
- eor3.16b v25, v0, v5, v10
- eor3.16b v26, v1, v6, v11
- eor3.16b v27, v2, v7, v12
- eor3.16b v28, v3, v8, v13
- eor3.16b v29, v4, v9, v14
-
- eor3.16b v25, v25, v15, v20
- eor3.16b v26, v26, v16, v21
- eor3.16b v27, v27, v17, v22
- eor3.16b v28, v28, v18, v23
- eor3.16b v29, v29, v19, v24
-
- rax1.2d v30, v29, v26 ; d[0] = rotl(p[1], 1) ^ p[4]
- rax1.2d v29, v27, v29 ; d[3] = rotl(p[4], 1) ^ p[2]
- rax1.2d v27, v25, v27 ; d[1] = rotl(p[2], 1) ^ p[0]
- rax1.2d v25, v28, v25 ; d[4] = rotl(p[0], 1) ^ p[3]
- rax1.2d v28, v26, v28 ; d[2] = rotl(p[3], 1) ^ p[1]
-
- ; Xor parities from step theta into the state at the same time
- ; as executing rho and pi.
- eor.16b v0, v0, v30
- mov.16b v31, v1
- xar.2d v1, v6, v27, 20
- xar.2d v6, v9, v25, 44
- xar.2d v9, v22, v28, 3
- xar.2d v22, v14, v25, 25
- xar.2d v14, v20, v30, 46
- xar.2d v20, v2, v28, 2
- xar.2d v2, v12, v28, 21
- xar.2d v12, v13, v29, 39
- xar.2d v13, v19, v25, 56
- xar.2d v19, v23, v29, 8
- xar.2d v23, v15, v30, 23
- xar.2d v15, v4, v25, 37
- xar.2d v4, v24, v25, 50
- xar.2d v24, v21, v27, 62
- xar.2d v21, v8, v29, 9
- xar.2d v8, v16, v27, 19
- xar.2d v16, v5, v30, 28
- xar.2d v5, v3, v29, 36
- xar.2d v3, v18, v29, 43
- xar.2d v18, v17, v28, 49
- xar.2d v17, v11, v27, 54
- xar.2d v11, v7, v28, 58
- xar.2d v7, v10, v30, 61
- xar.2d v10, v31, v27, 63
-
- ; Chi
- bcax.16b v25, v0, v2, v1
- bcax.16b v26, v1, v3, v2
- bcax.16b v2, v2, v4, v3
- bcax.16b v3, v3, v0, v4
- bcax.16b v4, v4, v1, v0
- mov.16b v0, v25
- mov.16b v1, v26
-
- bcax.16b v25, v5, v7, v6
- bcax.16b v26, v6, v8, v7
- bcax.16b v7, v7, v9, v8
- bcax.16b v8, v8, v5, v9
- bcax.16b v9, v9, v6, v5
- mov.16b v5, v25
- mov.16b v6, v26
-
- bcax.16b v25, v10, v12, v11
- bcax.16b v26, v11, v13, v12
- bcax.16b v12, v12, v14, v13
- bcax.16b v13, v13, v10, v14
- bcax.16b v14, v14, v11, v10
- mov.16b v10, v25
- mov.16b v11, v26
-
- bcax.16b v25, v15, v17, v16
- bcax.16b v26, v16, v18, v17
- bcax.16b v17, v17, v19, v18
- bcax.16b v18, v18, v15, v19
- bcax.16b v19, v19, v16, v15
- mov.16b v15, v25
- mov.16b v16, v26
-
- bcax.16b v25, v20, v22, v21
- bcax.16b v26, v21, v23, v22
- bcax.16b v22, v22, v24, v23
- bcax.16b v23, v23, v20, v24
- bcax.16b v24, v24, v21, v20
- mov.16b v20, v25
- mov.16b v21, v26
-
- ; iota
- ld1r {v25.2d}, [x1], #8
- eor.16b v0, v0, v25
-.endm
-
-.align 4
-.global PQCLEAN_DILITHIUM5_AARCH64_f1600x2
-.global _PQCLEAN_DILITHIUM5_AARCH64_f1600x2
-PQCLEAN_DILITHIUM5_AARCH64_f1600x2:
-_PQCLEAN_DILITHIUM5_AARCH64_f1600x2:
- stp d8, d9, [sp,#-16]!
- stp d10, d11, [sp,#-16]!
- stp d12, d13, [sp,#-16]!
- stp d14, d15, [sp,#-16]!
-
- mov x2, x0
- mov x3, #24
-
- ld1.2d {v0, v1, v2, v3}, [x0], #64
- ld1.2d {v4, v5, v6, v7}, [x0], #64
- ld1.2d {v8, v9, v10, v11}, [x0], #64
- ld1.2d {v12, v13, v14, v15}, [x0], #64
- ld1.2d {v16, v17, v18, v19}, [x0], #64
- ld1.2d {v20, v21, v22, v23}, [x0], #64
- ld1.2d {v24}, [x0]
-
-loop:
- round
-
- subs x3, x3, #1
- cbnz x3, loop
-
- mov x0, x2
- st1.2d {v0, v1, v2, v3}, [x0], #64
- st1.2d {v4, v5, v6, v7}, [x0], #64
- st1.2d {v8, v9, v10, v11}, [x0], #64
- st1.2d {v12, v13, v14, v15}, [x0], #64
- st1.2d {v16, v17, v18, v19}, [x0], #64
- st1.2d {v20, v21, v22, v23}, [x0], #64
- st1.2d {v24}, [x0]
-
- ldp d14, d15, [sp], #16
- ldp d12, d13, [sp], #16
- ldp d10, d11, [sp], #16
- ldp d8, d9, [sp], #16
-
- ret lr
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * at https://github.com/GMUCERG/PQC_NEON/blob/main/neon/kyber or
- * public domain at https://github.com/cothan/kyber/blob/master/neon
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License for this file.
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include <arm_neon.h>
-#include <stddef.h>
-#include "fips202x2.h"
-
-
-#define NROUNDS 24
-
-// Define NEON operation
-// c = load(ptr)
-#define vload(ptr) vld1q_u64(ptr);
-// ptr <= c;
-#define vstore(ptr, c) vst1q_u64(ptr, c);
-// c = a ^ b
-#define vxor(c, a, b) c = veorq_u64(a, b);
-// Rotate by n bit ((a << offset) ^ (a >> (64-offset)))
-#define vROL(out, a, offset) \
- (out) = vshlq_n_u64(a, offset); \
- (out) = vsriq_n_u64(out, a, 64 - (offset));
-// Xor chain: out = a ^ b ^ c ^ d ^ e
-#define vXOR4(out, a, b, c, d, e) \
- (out) = veorq_u64(a, b); \
- (out) = veorq_u64(out, c); \
- (out) = veorq_u64(out, d); \
- (out) = veorq_u64(out, e);
-// Not And c = ~a & b
-// #define vbic(c, a, b) c = vbicq_u64(b, a);
-// Xor Not And: out = a ^ ( (~b) & c)
-#define vXNA(out, a, b, c) \
- (out) = vbicq_u64(c, b); \
- (out) = veorq_u64(out, a);
-// Rotate by 1 bit, then XOR: a ^ ROL(b): SHA1 instruction, not support
-#define vrxor(c, a, b) c = vrax1q_u64(a, b);
-// End Define
-
-/* Keccak round constants */
-static const uint64_t neon_KeccakF_RoundConstants[NROUNDS] = {
- (uint64_t)0x0000000000000001ULL,
- (uint64_t)0x0000000000008082ULL,
- (uint64_t)0x800000000000808aULL,
- (uint64_t)0x8000000080008000ULL,
- (uint64_t)0x000000000000808bULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008009ULL,
- (uint64_t)0x000000000000008aULL,
- (uint64_t)0x0000000000000088ULL,
- (uint64_t)0x0000000080008009ULL,
- (uint64_t)0x000000008000000aULL,
- (uint64_t)0x000000008000808bULL,
- (uint64_t)0x800000000000008bULL,
- (uint64_t)0x8000000000008089ULL,
- (uint64_t)0x8000000000008003ULL,
- (uint64_t)0x8000000000008002ULL,
- (uint64_t)0x8000000000000080ULL,
- (uint64_t)0x000000000000800aULL,
- (uint64_t)0x800000008000000aULL,
- (uint64_t)0x8000000080008081ULL,
- (uint64_t)0x8000000000008080ULL,
- (uint64_t)0x0000000080000001ULL,
- (uint64_t)0x8000000080008008ULL
-};
-
-/*************************************************
-* Name: KeccakF1600_StatePermutex2
-*
-* Description: The Keccak F1600 Permutation
-*
-* Arguments: - uint64_t *state: pointer to input/output Keccak state
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64_f1600x2(v128*, const uint64_t*);
-static inline
-void KeccakF1600_StatePermutex2(v128 state[25])
-{
-#if (__APPLE__ && __ARM_FEATURE_CRYPTO) || (__ARM_FEATURE_SHA3) /* although not sure what is being implemented, we find something fast */
- PQCLEAN_DILITHIUM5_AARCH64_f1600x2(state, neon_KeccakF_RoundConstants);
-#else
- v128 Aba, Abe, Abi, Abo, Abu;
- v128 Aga, Age, Agi, Ago, Agu;
- v128 Aka, Ake, Aki, Ako, Aku;
- v128 Ama, Ame, Ami, Amo, Amu;
- v128 Asa, Ase, Asi, Aso, Asu;
- v128 BCa, BCe, BCi, BCo, BCu; // tmp
- v128 Da, De, Di, Do, Du; // D
- v128 Eba, Ebe, Ebi, Ebo, Ebu;
- v128 Ega, Ege, Egi, Ego, Egu;
- v128 Eka, Eke, Eki, Eko, Eku;
- v128 Ema, Eme, Emi, Emo, Emu;
- v128 Esa, Ese, Esi, Eso, Esu;
-
- //copyFromState(A, state)
- Aba = state[0];
- Abe = state[1];
- Abi = state[2];
- Abo = state[3];
- Abu = state[4];
- Aga = state[5];
- Age = state[6];
- Agi = state[7];
- Ago = state[8];
- Agu = state[9];
- Aka = state[10];
- Ake = state[11];
- Aki = state[12];
- Ako = state[13];
- Aku = state[14];
- Ama = state[15];
- Ame = state[16];
- Ami = state[17];
- Amo = state[18];
- Amu = state[19];
- Asa = state[20];
- Ase = state[21];
- Asi = state[22];
- Aso = state[23];
- Asu = state[24];
-
- for (int round = 0; round < NROUNDS; round += 2)
- {
- // prepareTheta
- vXOR4(BCa, Aba, Aga, Aka, Ama, Asa);
- vXOR4(BCe, Abe, Age, Ake, Ame, Ase);
- vXOR4(BCi, Abi, Agi, Aki, Ami, Asi);
- vXOR4(BCo, Abo, Ago, Ako, Amo, Aso);
- vXOR4(BCu, Abu, Agu, Aku, Amu, Asu);
-
- //thetaRhoPiChiIotaPrepareTheta(round , A, E)
- vROL(Da, BCe, 1);
- vxor(Da, BCu, Da);
- vROL(De, BCi, 1);
- vxor(De, BCa, De);
- vROL(Di, BCo, 1);
- vxor(Di, BCe, Di);
- vROL(Do, BCu, 1);
- vxor(Do, BCi, Do);
- vROL(Du, BCa, 1);
- vxor(Du, BCo, Du);
-
- vxor(Aba, Aba, Da);
- vxor(Age, Age, De);
- vROL(BCe, Age, 44);
- vxor(Aki, Aki, Di);
- vROL(BCi, Aki, 43);
- vxor(Amo, Amo, Do);
- vROL(BCo, Amo, 21);
- vxor(Asu, Asu, Du);
- vROL(BCu, Asu, 14);
- vXNA(Eba, Aba, BCe, BCi);
- vxor(Eba, Eba, vdupq_n_u64(neon_KeccakF_RoundConstants[round]));
- vXNA(Ebe, BCe, BCi, BCo);
- vXNA(Ebi, BCi, BCo, BCu);
- vXNA(Ebo, BCo, BCu, Aba);
- vXNA(Ebu, BCu, Aba, BCe);
-
- vxor(Abo, Abo, Do);
- vROL(BCa, Abo, 28);
- vxor(Agu, Agu, Du);
- vROL(BCe, Agu, 20);
- vxor(Aka, Aka, Da);
- vROL(BCi, Aka, 3);
- vxor(Ame, Ame, De);
- vROL(BCo, Ame, 45);
- vxor(Asi, Asi, Di);
- vROL(BCu, Asi, 61);
- vXNA(Ega, BCa, BCe, BCi);
- vXNA(Ege, BCe, BCi, BCo);
- vXNA(Egi, BCi, BCo, BCu);
- vXNA(Ego, BCo, BCu, BCa);
- vXNA(Egu, BCu, BCa, BCe);
-
- vxor(Abe, Abe, De);
- vROL(BCa, Abe, 1);
- vxor(Agi, Agi, Di);
- vROL(BCe, Agi, 6);
- vxor(Ako, Ako, Do);
- vROL(BCi, Ako, 25);
- vxor(Amu, Amu, Du);
- vROL(BCo, Amu, 8);
- vxor(Asa, Asa, Da);
- vROL(BCu, Asa, 18);
- vXNA(Eka, BCa, BCe, BCi);
- vXNA(Eke, BCe, BCi, BCo);
- vXNA(Eki, BCi, BCo, BCu);
- vXNA(Eko, BCo, BCu, BCa);
- vXNA(Eku, BCu, BCa, BCe);
-
- vxor(Abu, Abu, Du);
- vROL(BCa, Abu, 27);
- vxor(Aga, Aga, Da);
- vROL(BCe, Aga, 36);
- vxor(Ake, Ake, De);
- vROL(BCi, Ake, 10);
- vxor(Ami, Ami, Di);
- vROL(BCo, Ami, 15);
- vxor(Aso, Aso, Do);
- vROL(BCu, Aso, 56);
- vXNA(Ema, BCa, BCe, BCi);
- vXNA(Eme, BCe, BCi, BCo);
- vXNA(Emi, BCi, BCo, BCu);
- vXNA(Emo, BCo, BCu, BCa);
- vXNA(Emu, BCu, BCa, BCe);
-
- vxor(Abi, Abi, Di);
- vROL(BCa, Abi, 62);
- vxor(Ago, Ago, Do);
- vROL(BCe, Ago, 55);
- vxor(Aku, Aku, Du);
- vROL(BCi, Aku, 39);
- vxor(Ama, Ama, Da);
- vROL(BCo, Ama, 41);
- vxor(Ase, Ase, De);
- vROL(BCu, Ase, 2);
- vXNA(Esa, BCa, BCe, BCi);
- vXNA(Ese, BCe, BCi, BCo);
- vXNA(Esi, BCi, BCo, BCu);
- vXNA(Eso, BCo, BCu, BCa);
- vXNA(Esu, BCu, BCa, BCe);
-
- // Next Round
-
- // prepareTheta
- vXOR4(BCa, Eba, Ega, Eka, Ema, Esa);
- vXOR4(BCe, Ebe, Ege, Eke, Eme, Ese);
- vXOR4(BCi, Ebi, Egi, Eki, Emi, Esi);
- vXOR4(BCo, Ebo, Ego, Eko, Emo, Eso);
- vXOR4(BCu, Ebu, Egu, Eku, Emu, Esu);
-
- //thetaRhoPiChiIotaPrepareTheta(round+1, E, A)
- vROL(Da, BCe, 1);
- vxor(Da, BCu, Da);
- vROL(De, BCi, 1);
- vxor(De, BCa, De);
- vROL(Di, BCo, 1);
- vxor(Di, BCe, Di);
- vROL(Do, BCu, 1);
- vxor(Do, BCi, Do);
- vROL(Du, BCa, 1);
- vxor(Du, BCo, Du);
-
- vxor(Eba, Eba, Da);
- vxor(Ege, Ege, De);
- vROL(BCe, Ege, 44);
- vxor(Eki, Eki, Di);
- vROL(BCi, Eki, 43);
- vxor(Emo, Emo, Do);
- vROL(BCo, Emo, 21);
- vxor(Esu, Esu, Du);
- vROL(BCu, Esu, 14);
- vXNA(Aba, Eba, BCe, BCi);
- vxor(Aba, Aba, vdupq_n_u64(neon_KeccakF_RoundConstants[round + 1]));
- vXNA(Abe, BCe, BCi, BCo);
- vXNA(Abi, BCi, BCo, BCu);
- vXNA(Abo, BCo, BCu, Eba);
- vXNA(Abu, BCu, Eba, BCe);
-
- vxor(Ebo, Ebo, Do);
- vROL(BCa, Ebo, 28);
- vxor(Egu, Egu, Du);
- vROL(BCe, Egu, 20);
- vxor(Eka, Eka, Da);
- vROL(BCi, Eka, 3);
- vxor(Eme, Eme, De);
- vROL(BCo, Eme, 45);
- vxor(Esi, Esi, Di);
- vROL(BCu, Esi, 61);
- vXNA(Aga, BCa, BCe, BCi);
- vXNA(Age, BCe, BCi, BCo);
- vXNA(Agi, BCi, BCo, BCu);
- vXNA(Ago, BCo, BCu, BCa);
- vXNA(Agu, BCu, BCa, BCe);
-
- vxor(Ebe, Ebe, De);
- vROL(BCa, Ebe, 1);
- vxor(Egi, Egi, Di);
- vROL(BCe, Egi, 6);
- vxor(Eko, Eko, Do);
- vROL(BCi, Eko, 25);
- vxor(Emu, Emu, Du);
- vROL(BCo, Emu, 8);
- vxor(Esa, Esa, Da);
- vROL(BCu, Esa, 18);
- vXNA(Aka, BCa, BCe, BCi);
- vXNA(Ake, BCe, BCi, BCo);
- vXNA(Aki, BCi, BCo, BCu);
- vXNA(Ako, BCo, BCu, BCa);
- vXNA(Aku, BCu, BCa, BCe);
-
- vxor(Ebu, Ebu, Du);
- vROL(BCa, Ebu, 27);
- vxor(Ega, Ega, Da);
- vROL(BCe, Ega, 36);
- vxor(Eke, Eke, De);
- vROL(BCi, Eke, 10);
- vxor(Emi, Emi, Di);
- vROL(BCo, Emi, 15);
- vxor(Eso, Eso, Do);
- vROL(BCu, Eso, 56);
- vXNA(Ama, BCa, BCe, BCi);
- vXNA(Ame, BCe, BCi, BCo);
- vXNA(Ami, BCi, BCo, BCu);
- vXNA(Amo, BCo, BCu, BCa);
- vXNA(Amu, BCu, BCa, BCe);
-
- vxor(Ebi, Ebi, Di);
- vROL(BCa, Ebi, 62);
- vxor(Ego, Ego, Do);
- vROL(BCe, Ego, 55);
- vxor(Eku, Eku, Du);
- vROL(BCi, Eku, 39);
- vxor(Ema, Ema, Da);
- vROL(BCo, Ema, 41);
- vxor(Ese, Ese, De);
- vROL(BCu, Ese, 2);
- vXNA(Asa, BCa, BCe, BCi);
- vXNA(Ase, BCe, BCi, BCo);
- vXNA(Asi, BCi, BCo, BCu);
- vXNA(Aso, BCo, BCu, BCa);
- vXNA(Asu, BCu, BCa, BCe);
- }
-
- state[0] = Aba;
- state[1] = Abe;
- state[2] = Abi;
- state[3] = Abo;
- state[4] = Abu;
- state[5] = Aga;
- state[6] = Age;
- state[7] = Agi;
- state[8] = Ago;
- state[9] = Agu;
- state[10] = Aka;
- state[11] = Ake;
- state[12] = Aki;
- state[13] = Ako;
- state[14] = Aku;
- state[15] = Ama;
- state[16] = Ame;
- state[17] = Ami;
- state[18] = Amo;
- state[19] = Amu;
- state[20] = Asa;
- state[21] = Ase;
- state[22] = Asi;
- state[23] = Aso;
- state[24] = Asu;
-#endif
-}
-
-/*************************************************
-* Name: keccakx2_absorb
-*
-* Description: Absorb step of Keccak;
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - uint64_t *s: pointer to (uninitialized) output Keccak state
-* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
-* - const uint8_t *m: pointer to input to be absorbed into s
-* - size_t mlen: length of input in bytes
-* - uint8_t p: domain-separation byte for different
-* Keccak-derived functions
-**************************************************/
-static
-void keccakx2_absorb(v128 s[25],
- unsigned int r,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen,
- uint8_t p) {
- size_t i, pos = 0;
-
- // Declare SIMD registers
- v128 tmp, mask;
- uint64x1_t a, b;
- uint64x2_t a1, b1, atmp1, btmp1;
- uint64x2x2_t a2, b2, atmp2, btmp2;
- // End
-
- for (i = 0; i < 25; ++i) {
- s[i] = vdupq_n_u64(0);
- }
-
- // Load in0[i] to register, then in1[i] to register, exchange them
- while (inlen >= r) {
- for (i = 0; i < r / 8 - 1; i += 4) {
- a2 = vld1q_u64_x2((uint64_t *)&in0[pos]);
- b2 = vld1q_u64_x2((uint64_t *)&in1[pos]);
- // BD = zip1(AB and CD)
- atmp2.val[0] = vzip1q_u64(a2.val[0], b2.val[0]);
- atmp2.val[1] = vzip1q_u64(a2.val[1], b2.val[1]);
- // AC = zip2(AB and CD)
- btmp2.val[0] = vzip2q_u64(a2.val[0], b2.val[0]);
- btmp2.val[1] = vzip2q_u64(a2.val[1], b2.val[1]);
-
- vxor(s[i + 0], s[i + 0], atmp2.val[0]);
- vxor(s[i + 1], s[i + 1], btmp2.val[0]);
- vxor(s[i + 2], s[i + 2], atmp2.val[1]);
- vxor(s[i + 3], s[i + 3], btmp2.val[1]);
-
- pos += 8 * 2 * 2;
- }
- // Last iteration
- i = r / 8 - 1;
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- vxor(s[i], s[i], tmp);
- pos += 8;
-
- KeccakF1600_StatePermutex2(s);
- inlen -= r;
- }
-
- i = 0;
- while (inlen >= 16) {
- a1 = vld1q_u64((uint64_t *)&in0[pos]);
- b1 = vld1q_u64((uint64_t *)&in1[pos]);
- // BD = zip1(AB and CD)
- atmp1 = vzip1q_u64(a1, b1);
- // AC = zip2(AB and CD)
- btmp1 = vzip2q_u64(a1, b1);
-
- vxor(s[i + 0], s[i + 0], atmp1);
- vxor(s[i + 1], s[i + 1], btmp1);
-
- i += 2;
- pos += 8 * 2;
- inlen -= 8 * 2;
- }
-
- if (inlen >= 8) {
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- vxor(s[i], s[i], tmp);
-
- i++;
- pos += 8;
- inlen -= 8;
- }
-
- if (inlen) {
- a = vld1_u64((uint64_t *)&in0[pos]);
- b = vld1_u64((uint64_t *)&in1[pos]);
- tmp = vcombine_u64(a, b);
- mask = vdupq_n_u64((1ULL << (8 * inlen)) - 1);
- tmp = vandq_u64(tmp, mask);
- vxor(s[i], s[i], tmp);
- }
-
- tmp = vdupq_n_u64((uint64_t)p << (8 * inlen));
- vxor(s[i], s[i], tmp);
-
- mask = vdupq_n_u64(1ULL << 63);
- vxor(s[r / 8 - 1], s[r / 8 - 1], mask);
-}
-
-/*************************************************
-* Name: keccak_squeezeblocks
-*
-* Description: Squeeze step of Keccak. Squeezes full blocks of r bytes each.
-* Modifies the state. Can be called multiple times to keep
-* squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed (written to h)
-* - unsigned int r: rate in bytes (e.g., 168 for SHAKE128)
-* - uint64_t *s: pointer to input/output Keccak state
-**************************************************/
-static
-void keccakx2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- unsigned int r,
- v128 s[25]){
- unsigned int i;
-
- uint64x1_t a, b;
- uint64x2x2_t a2, b2;
-
- while (nblocks > 0)
- {
- KeccakF1600_StatePermutex2(s);
-
- for (i = 0; i < r / 8 - 1; i += 4)
- {
- a2.val[0] = vuzp1q_u64(s[i], s[i + 1]);
- b2.val[0] = vuzp2q_u64(s[i], s[i + 1]);
- a2.val[1] = vuzp1q_u64(s[i + 2], s[i + 3]);
- b2.val[1] = vuzp2q_u64(s[i + 2], s[i + 3]);
- vst1q_u64_x2((uint64_t *)out0, a2);
- vst1q_u64_x2((uint64_t *)out1, b2);
-
- out0 += 32;
- out1 += 32;
- }
-
- i = r / 8 - 1;
- // Last iteration
- a = vget_low_u64(s[i]);
- b = vget_high_u64(s[i]);
- vst1_u64((uint64_t *)out0, a);
- vst1_u64((uint64_t *)out1, b);
-
- out0 += 8;
- out1 += 8;
-
- --nblocks;
- }
-}
-
-/*************************************************
-* Name: shake128x2_absorb
-*
-* Description: Absorb step of the SHAKE128 XOF.
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - keccakx2_state *state: pointer to (uninitialized) output
-* Keccak state
-* - const uint8_t *in: pointer to input to be absorbed into s
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake128x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- keccakx2_absorb(state->s, SHAKE128_RATE, in0, in1, inlen, 0x1F);
-}
-
-/*************************************************
-* Name: shake128_squeezeblocks
-*
-* Description: Squeeze step of SHAKE128 XOF. Squeezes full blocks of
-* SHAKE128_RATE bytes each. Modifies the state. Can be called
-* multiple times to keep squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed
-* (written to output)
-* - keccakx2_state *s: pointer to input/output Keccak state
-**************************************************/
-void shake128x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state) {
- keccakx2_squeezeblocks(out0, out1, nblocks, SHAKE128_RATE, state->s);
-}
-
-/*************************************************
-* Name: shake256_absorb
-*
-* Description: Absorb step of the SHAKE256 XOF.
-* non-incremental, starts by zeroeing the state.
-*
-* Arguments: - keccakx2_state *s: pointer to (uninitialized) output Keccak state
-* - const uint8_t *in: pointer to input to be absorbed into s
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake256x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- keccakx2_absorb(state->s, SHAKE256_RATE, in0, in1, inlen, 0x1F);
-}
-
-/*************************************************
-* Name: shake256_squeezeblocks
-*
-* Description: Squeeze step of SHAKE256 XOF. Squeezes full blocks of
-* SHAKE256_RATE bytes each. Modifies the state. Can be called
-* multiple times to keep squeezing, i.e., is incremental.
-*
-* Arguments: - uint8_t *out: pointer to output blocks
-* - size_t nblocks: number of blocks to be squeezed
-* (written to output)
-* - keccakx2_state *s: pointer to input/output Keccak state
-**************************************************/
-void shake256x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state) {
- keccakx2_squeezeblocks(out0, out1, nblocks, SHAKE256_RATE, state->s);
-}
-
-/*************************************************
-* Name: shake128
-*
-* Description: SHAKE128 XOF with non-incremental API
-*
-* Arguments: - uint8_t *out: pointer to output
-* - size_t outlen: requested output length in bytes
-* - const uint8_t *in: pointer to input
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake128x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- unsigned int i;
- size_t nblocks = outlen / SHAKE128_RATE;
- uint8_t t[2][SHAKE128_RATE];
- keccakx2_state state;
-
- shake128x2_absorb(&state, in0, in1, inlen);
- shake128x2_squeezeblocks(out0, out1, nblocks, &state);
-
- out0 += nblocks * SHAKE128_RATE;
- out1 += nblocks * SHAKE128_RATE;
- outlen -= nblocks * SHAKE128_RATE;
-
- if (outlen) {
- shake128x2_squeezeblocks(t[0], t[1], 1, &state);
- for (i = 0; i < outlen; ++i) {
- out0[i] = t[0][i];
- out1[i] = t[1][i];
- }
- }
-}
-
-/*************************************************
-* Name: shake256
-*
-* Description: SHAKE256 XOF with non-incremental API
-*
-* Arguments: - uint8_t *out: pointer to output
-* - size_t outlen: requested output length in bytes
-* - const uint8_t *in: pointer to input
-* - size_t inlen: length of input in bytes
-**************************************************/
-void shake256x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen) {
- unsigned int i;
- size_t nblocks = outlen / SHAKE256_RATE;
- uint8_t t[2][SHAKE256_RATE];
- keccakx2_state state;
-
- shake256x2_absorb(&state, in0, in1, inlen);
- shake256x2_squeezeblocks(out0, out1, nblocks, &state);
-
- out0 += nblocks * SHAKE256_RATE;
- out1 += nblocks * SHAKE256_RATE;
- outlen -= nblocks * SHAKE256_RATE;
-
- if (outlen) {
- shake256x2_squeezeblocks(t[0], t[1], 1, &state);
- for (i = 0; i < outlen; ++i) {
- out0[i] = t[0][i];
- out1[i] = t[1][i];
- }
- }
-}
+++ /dev/null
-
-/*
- * This file is licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * at https://github.com/GMUCERG/PQC_NEON/blob/main/neon/kyber or
- * public domain at https://github.com/cothan/kyber/blob/master/neon
- */
-
-#ifndef FIPS202X2_H
-#define FIPS202X2_H
-
-#include "params.h"
-#include <arm_neon.h>
-#include <stddef.h>
-
-#include <fips202.h>
-
-typedef uint64x2_t v128;
-
-
-typedef struct {
- v128 s[25];
-} keccakx2_state;
-
-
-#define shake128x2_absorb DILITHIUM_NAMESPACE(shake128x2_absorb)
-void shake128x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake128x2_squeezeblocks DILITHIUM_NAMESPACE(shake128x2_squeezeblocks)
-void shake128x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state);
-
-#define shake256x2_absorb DILITHIUM_NAMESPACE(shake256x2_absorb)
-void shake256x2_absorb(keccakx2_state *state,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake256x2_squeezeblocks DILITHIUM_NAMESPACE(shake256x2_squeezeblocks)
-void shake256x2_squeezeblocks(uint8_t *out0,
- uint8_t *out1,
- size_t nblocks,
- keccakx2_state *state);
-
-#define shake128x2 DILITHIUM_NAMESPACE(shake128x2)
-void shake128x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-
-#define shake256x2 DILITHIUM_NAMESPACE(shake256x2)
-void shake256x2(uint8_t *out0,
- uint8_t *out1,
- size_t outlen,
- const uint8_t *in0,
- const uint8_t *in1,
- size_t inlen);
-#endif
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "macros_common.inc"
-
-.macro wrap_trn_4x4 a0, a1, a2, a3, t0, t1, t2, t3, qS, dD
-
- trn1 \t0\qS, \a0\qS, \a1\qS
- trn2 \t1\qS, \a0\qS, \a1\qS
- trn1 \t2\qS, \a2\qS, \a3\qS
- trn2 \t3\qS, \a2\qS, \a3\qS
-
- trn1 \a0\dD, \t0\dD, \t2\dD
- trn2 \a2\dD, \t0\dD, \t2\dD
- trn1 \a1\dD, \t1\dD, \t3\dD
- trn2 \a3\dD, \t1\dD, \t3\dD
-
-.endm
-
-.macro trn_4x4 a0, a1, a2, a3, t0, t1, t2, t3
- wrap_trn_4x4 \a0, \a1, \a2, \a3, \t0, \t1, \t2, \t3, .4S, .2D
-.endm
-
-
-.macro dq_butterfly_vec_bot a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1
- wrap_dX_butterfly_vec_bot \a0, \a1, \b0, \b1, \t0, \t1, \mod, \l0, \h0, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_top a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1
- wrap_dX_butterfly_vec_top \a0, \a1, \b0, \b1, \t0, \t1, \mod, \l0, \h0, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3
- wrap_dX_butterfly_vec_mixed \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \l0, \h0, \l1, \h1, \l2, \h2, \l3, \h3, .4S, .S
-.endm
-
-.macro dq_butterfly_vec_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3
- wrap_dX_butterfly_vec_mixed_rev \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \l0, \h0, \l1, \h1, \l2, \h2, \l3, \h3, .4S, .S
-.endm
-
-
-.macro dq_butterfly_top a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1
- wrap_dX_butterfly_top \a0, \a1, \b0, \b1, \t0, \t1, \mod, \z0, \l0, \h0, \z1, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_bot a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1
- wrap_dX_butterfly_bot \a0, \a1, \b0, \b1, \t0, \t1, \mod, \z0, \l0, \h0, \z1, \l1, \h1, .4S, .S
-.endm
-
-.macro dq_butterfly_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_dX_butterfly_mixed \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro dq_butterfly_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_dX_butterfly_mixed_rev \a0, \a1, \b0, \b1, \t0, \t1, \a2, \a3, \b2, \b3, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-
-.macro qq_montgomery_mul b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_montgomery_mul \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-
-.macro qq_butterfly_top a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_butterfly_top \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro qq_butterfly_bot a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3
- wrap_qX_butterfly_bot \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, .4S, .S
-.endm
-
-.macro qq_butterfly_mixed a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7
- wrap_qX_butterfly_mixed \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \a4, \a5, \a6, \a7, \b4, \b5, \b6, \b7, \t4, \t5, \t6, \t7, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, \z4, \l4, \h4, \z5, \l5, \h5, \z6, \l6, \h6, \z7, \l7, \h7, .4S, .S
-.endm
-
-.macro qq_butterfly_mixed_rev a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7
- wrap_qX_butterfly_mixed_rev \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, \t0, \t1, \t2, \t3, \a4, \a5, \a6, \a7, \b4, \b5, \b6, \b7, \t4, \t5, \t6, \t7, \mod, \z0, \l0, \h0, \z1, \l1, \h1, \z2, \l2, \h2, \z3, \l3, \h3, \z4, \l4, \h4, \z5, \l5, \h5, \z6, \l6, \h6, \z7, \l7, \h7, .4S, .S
-.endm
-
-
-.macro qq_montgomery c0, c1, c2, c3, l0, l1, l2, l3, h0, h1, h2, h3, t0, t1, t2, t3, Qprime, Q
- wrap_qX_montgomery \c0, \c1, \c2, \c3, \l0, \l1, \l2, \l3, \h0, \h1, \h2, \h3, \t0, \t1, \t2, \t3, \Qprime, \Q, .2S, .4S, .2D
-.endm
-
-.macro qq_sub_add s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3
- wrap_qX_sub_add \s0, \s1, \s2, \s3, \t0, \t1, \t2, \t3, \a0, \a1, \a2, \a3, \b0, \b1, \b2, \b3, .4S
-.endm
+++ /dev/null
-
-/*
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-// for ABI
-
-.macro push_all
-
- sub sp, sp, #(16*9)
- stp x19, x20, [sp, #16*0]
- stp x21, x22, [sp, #16*1]
- stp x23, x24, [sp, #16*2]
- stp x25, x26, [sp, #16*3]
- stp x27, x28, [sp, #16*4]
- stp d8, d9, [sp, #16*5]
- stp d10, d11, [sp, #16*6]
- stp d12, d13, [sp, #16*7]
- stp d14, d15, [sp, #16*8]
-
-.endm
-
-.macro pop_all
-
- ldp x19, x20, [sp, #16*0]
- ldp x21, x22, [sp, #16*1]
- ldp x23, x24, [sp, #16*2]
- ldp x25, x26, [sp, #16*3]
- ldp x27, x28, [sp, #16*4]
- ldp d8, d9, [sp, #16*5]
- ldp d10, d11, [sp, #16*6]
- ldp d12, d13, [sp, #16*7]
- ldp d14, d15, [sp, #16*8]
- add sp, sp, #(16*9)
-
-.endm
-
-// vector-scalar butterflies
-
-.macro wrap_dX_butterfly_top a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_bot a0, a1, b0, b1, t0, t1, mod, z0, l0, h0, z1, l1, h1, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
-
-.endm
-
-.macro wrap_dX_butterfly_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
-
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- sub \b3\wX, \a3\wX, \t3\wX
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- add \a3\wX, \a3\wX, \t3\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_top a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_bot a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
- sub \b2\wX, \a2\wX, \t2\wX
- sub \b3\wX, \a3\wX, \t3\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
- add \a2\wX, \a2\wX, \t2\wX
- add \a3\wX, \a3\wX, \t3\wX
-
-.endm
-
-.macro wrap_qX_butterfly_mixed a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t4\wX, \b4\wX, \z4\nX[\h4]
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t5\wX, \b5\wX, \z5\nX[\h5]
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t6\wX, \b6\wX, \z6\nX[\h6]
- sub \b3\wX, \a3\wX, \t3\wX
- mul \t7\wX, \b7\wX, \z7\nX[\h7]
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b4\wX, \b4\wX, \z4\nX[\l4]
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b5\wX, \b5\wX, \z5\nX[\l5]
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b6\wX, \b6\wX, \z6\nX[\l6]
- add \a3\wX, \a3\wX, \t3\wX
- sqrdmulh \b7\wX, \b7\wX, \z7\nX[\l7]
-
- mls \t4\wX, \b4\wX, \mod\nX[0]
- mls \t5\wX, \b5\wX, \mod\nX[0]
- mls \t6\wX, \b6\wX, \mod\nX[0]
- mls \t7\wX, \b7\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_qX_butterfly_mixed_rev a0, a1, a2, a3, b0, b1, b2, b3, t0, t1, t2, t3, a4, a5, a6, a7, b4, b5, b6, b7, t4, t5, t6, t7, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, z4, l4, h4, z5, l5, h5, z6, l6, h6, z7, l7, h7, wX, nX
-
- mul \t0\wX, \b0\wX, \z0\nX[\h0]
- sub \b4\wX, \a4\wX, \t4\wX
- mul \t1\wX, \b1\wX, \z1\nX[\h1]
- sub \b5\wX, \a5\wX, \t5\wX
- mul \t2\wX, \b2\wX, \z2\nX[\h2]
- sub \b6\wX, \a6\wX, \t6\wX
- mul \t3\wX, \b3\wX, \z3\nX[\h3]
- sub \b7\wX, \a7\wX, \t7\wX
-
- sqrdmulh \b0\wX, \b0\wX, \z0\nX[\l0]
- add \a4\wX, \a4\wX, \t4\wX
- sqrdmulh \b1\wX, \b1\wX, \z1\nX[\l1]
- add \a5\wX, \a5\wX, \t5\wX
- sqrdmulh \b2\wX, \b2\wX, \z2\nX[\l2]
- add \a6\wX, \a6\wX, \t6\wX
- sqrdmulh \b3\wX, \b3\wX, \z3\nX[\l3]
- add \a7\wX, \a7\wX, \t7\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-// vector-vector butterflies
-
-.macro wrap_dX_butterfly_vec_top a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1, wX, nX
-
- mul \t0\wX, \b0\wX, \h0\wX
- mul \t1\wX, \b1\wX, \h1\wX
-
- sqrdmulh \b0\wX, \b0\wX, \l0\wX
- sqrdmulh \b1\wX, \b1\wX, \l1\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_vec_bot a0, a1, b0, b1, t0, t1, mod, l0, h0, l1, h1, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- sub \b1\wX, \a1\wX, \t1\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- add \a1\wX, \a1\wX, \t1\wX
-
-.endm
-
-.macro wrap_dX_butterfly_vec_mixed a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3, wX, nX
-
- sub \b0\wX, \a0\wX, \t0\wX
- mul \t2\wX, \b2\wX, \h2\wX
- sub \b1\wX, \a1\wX, \t1\wX
- mul \t3\wX, \b3\wX, \h3\wX
-
- add \a0\wX, \a0\wX, \t0\wX
- sqrdmulh \b2\wX, \b2\wX, \l2\wX
- add \a1\wX, \a1\wX, \t1\wX
- sqrdmulh \b3\wX, \b3\wX, \l3\wX
-
- mls \t2\wX, \b2\wX, \mod\nX[0]
- mls \t3\wX, \b3\wX, \mod\nX[0]
-
-.endm
-
-.macro wrap_dX_butterfly_vec_mixed_rev a0, a1, b0, b1, t0, t1, a2, a3, b2, b3, t2, t3, mod, l0, h0, l1, h1, l2, h2, l3, h3, wX, nX
-
- mul \t0\wX, \b0\wX, \h0\wX
- sub \b2\wX, \a2\wX, \t2\wX
- mul \t1\wX, \b1\wX, \h1\wX
- sub \b3\wX, \a3\wX, \t3\wX
-
- sqrdmulh \b0\wX, \b0\wX, \l0\wX
- add \a2\wX, \a2\wX, \t2\wX
- sqrdmulh \b1\wX, \b1\wX, \l1\wX
- add \a3\wX, \a3\wX, \t3\wX
-
- mls \t0\wX, \b0\wX, \mod\nX[0]
- mls \t1\wX, \b1\wX, \mod\nX[0]
-
-.endm
-
-// vector-scalar Barrett reduction
-
-.macro wrap_qX_barrett a0, a1, a2, a3, t0, t1, t2, t3, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\nX[0]
- sqdmulh \t1\wX, \a1\wX, \barrett_const\nX[0]
-
- sqdmulh \t2\wX, \a2\wX, \barrett_const\nX[0]
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t3\wX, \a3\wX, \barrett_const\nX[0]
- srshr \t1\wX, \t1\wX, \shrv
-
- srshr \t2\wX, \t2\wX, \shrv
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t3\wX, \t3\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
-
- mls \a2\wX, \t2\wX, \Q\wX
- mls \a3\wX, \t3\wX, \Q\wX
-
-.endm
-
-.macro wrap_oX_barrett a0, a1, a2, a3, t0, t1, t2, t3, a4, a5, a6, a7, t4, t5, t6, t7, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\nX[0]
- sqdmulh \t1\wX, \a1\wX, \barrett_const\nX[0]
- sqdmulh \t2\wX, \a2\wX, \barrett_const\nX[0]
- sqdmulh \t3\wX, \a3\wX, \barrett_const\nX[0]
-
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t4\wX, \a4\wX, \barrett_const\nX[0]
- srshr \t1\wX, \t1\wX, \shrv
- sqdmulh \t5\wX, \a5\wX, \barrett_const\nX[0]
- srshr \t2\wX, \t2\wX, \shrv
- sqdmulh \t6\wX, \a6\wX, \barrett_const\nX[0]
- srshr \t3\wX, \t3\wX, \shrv
- sqdmulh \t7\wX, \a7\wX, \barrett_const\nX[0]
-
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t4\wX, \t4\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
- srshr \t5\wX, \t5\wX, \shrv
- mls \a2\wX, \t2\wX, \Q\wX
- srshr \t6\wX, \t6\wX, \shrv
- mls \a3\wX, \t3\wX, \Q\wX
- srshr \t7\wX, \t7\wX, \shrv
-
- mls \a4\wX, \t4\wX, \Q\wX
- mls \a5\wX, \t5\wX, \Q\wX
- mls \a6\wX, \t6\wX, \Q\wX
- mls \a7\wX, \t7\wX, \Q\wX
-
-.endm
-
-// vector-vector Barrett reduction
-
-.macro wrap_qo_barrett_vec a0, a1, a2, a3, t0, t1, t2, t3, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\wX
- sqdmulh \t1\wX, \a1\wX, \barrett_const\wX
-
- sqdmulh \t2\wX, \a2\wX, \barrett_const\wX
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t3\wX, \a3\wX, \barrett_const\wX
- srshr \t1\wX, \t1\wX, \shrv
-
- srshr \t2\wX, \t2\wX, \shrv
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t3\wX, \t3\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
-
- mls \a2\wX, \t2\wX, \Q\wX
- mls \a3\wX, \t3\wX, \Q\wX
-
-.endm
-
-.macro wrap_oo_barrett_vec a0, a1, a2, a3, t0, t1, t2, t3, a4, a5, a6, a7, t4, t5, t6, t7, barrett_const, shrv, Q, wX, nX
-
- sqdmulh \t0\wX, \a0\wX, \barrett_const\wX
- sqdmulh \t1\wX, \a1\wX, \barrett_const\wX
- sqdmulh \t2\wX, \a2\wX, \barrett_const\wX
- sqdmulh \t3\wX, \a3\wX, \barrett_const\wX
-
- srshr \t0\wX, \t0\wX, \shrv
- sqdmulh \t4\wX, \a4\wX, \barrett_const\wX
- srshr \t1\wX, \t1\wX, \shrv
- sqdmulh \t5\wX, \a5\wX, \barrett_const\wX
- srshr \t2\wX, \t2\wX, \shrv
- sqdmulh \t6\wX, \a6\wX, \barrett_const\wX
- srshr \t3\wX, \t3\wX, \shrv
- sqdmulh \t7\wX, \a7\wX, \barrett_const\wX
-
- mls \a0\wX, \t0\wX, \Q\wX
- srshr \t4\wX, \t4\wX, \shrv
- mls \a1\wX, \t1\wX, \Q\wX
- srshr \t5\wX, \t5\wX, \shrv
- mls \a2\wX, \t2\wX, \Q\wX
- srshr \t6\wX, \t6\wX, \shrv
- mls \a3\wX, \t3\wX, \Q\wX
- srshr \t7\wX, \t7\wX, \shrv
-
- mls \a4\wX, \t4\wX, \Q\wX
- mls \a5\wX, \t5\wX, \Q\wX
- mls \a6\wX, \t6\wX, \Q\wX
- mls \a7\wX, \t7\wX, \Q\wX
-
-.endm
-
-// Montgomery multiplication
-
-.macro wrap_qX_montgomery_mul b0, b1, b2, b3, t0, t1, t2, t3, mod, z0, l0, h0, z1, l1, h1, z2, l2, h2, z3, l3, h3, wX, nX
-
- mul \b0\wX, \t0\wX, \z0\nX[\h0]
- mul \b1\wX, \t1\wX, \z1\nX[\h1]
- mul \b2\wX, \t2\wX, \z2\nX[\h2]
- mul \b3\wX, \t3\wX, \z3\nX[\h3]
-
- sqrdmulh \t0\wX, \t0\wX, \z0\nX[\l0]
- sqrdmulh \t1\wX, \t1\wX, \z1\nX[\l1]
- sqrdmulh \t2\wX, \t2\wX, \z2\nX[\l2]
- sqrdmulh \t3\wX, \t3\wX, \z3\nX[\l3]
-
- mls \b0\wX, \t0\wX, \mod\nX[0]
- mls \b1\wX, \t1\wX, \mod\nX[0]
- mls \b2\wX, \t2\wX, \mod\nX[0]
- mls \b3\wX, \t3\wX, \mod\nX[0]
-
-.endm
-
-// Montgomery reduction with long
-
-.macro wrap_qX_montgomery c0, c1, c2, c3, l0, l1, l2, l3, h0, h1, h2, h3, t0, t1, t2, t3, Qprime, Q, lX, wX, dwX
-
- uzp1 \t0\wX, \l0\wX, \h0\wX
- uzp1 \t1\wX, \l1\wX, \h1\wX
- uzp1 \t2\wX, \l2\wX, \h2\wX
- uzp1 \t3\wX, \l3\wX, \h3\wX
-
- mul \t0\wX, \t0\wX, \Qprime\wX
- mul \t1\wX, \t1\wX, \Qprime\wX
- mul \t2\wX, \t2\wX, \Qprime\wX
- mul \t3\wX, \t3\wX, \Qprime\wX
-
- smlal \l0\dwX, \t0\lX, \Q\lX
- smlal2 \h0\dwX, \t0\wX, \Q\wX
- smlal \l1\dwX, \t1\lX, \Q\lX
- smlal2 \h1\dwX, \t1\wX, \Q\wX
- smlal \l2\dwX, \t2\lX, \Q\lX
- smlal2 \h2\dwX, \t2\wX, \Q\wX
- smlal \l3\dwX, \t3\lX, \Q\lX
- smlal2 \h3\dwX, \t3\wX, \Q\wX
-
- uzp2 \c0\wX, \l0\wX, \h0\wX
- uzp2 \c1\wX, \l1\wX, \h1\wX
- uzp2 \c2\wX, \l2\wX, \h2\wX
- uzp2 \c3\wX, \l3\wX, \h3\wX
-
-.endm
-
-// add_sub, sub_add
-
-.macro wrap_qX_add_sub s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3, wX
-
- add \s0\wX, \a0\wX, \b0\wX
- sub \t0\wX, \a0\wX, \b0\wX
- add \s1\wX, \a1\wX, \b1\wX
- sub \t1\wX, \a1\wX, \b1\wX
- add \s2\wX, \a2\wX, \b2\wX
- sub \t2\wX, \a2\wX, \b2\wX
- add \s3\wX, \a3\wX, \b3\wX
- sub \t3\wX, \a3\wX, \b3\wX
-
-.endm
-
-.macro wrap_qX_sub_add s0, s1, s2, s3, t0, t1, t2, t3, a0, a1, a2, a3, b0, b1, b2, b3, wX
-
- sub \t0\wX, \a0\wX, \b0\wX
- add \s0\wX, \a0\wX, \b0\wX
- sub \t1\wX, \a1\wX, \b1\wX
- add \s1\wX, \a1\wX, \b1\wX
- sub \t2\wX, \a2\wX, \b2\wX
- add \s2\wX, \a2\wX, \b2\wX
- sub \t3\wX, \a3\wX, \b3\wX
- add \s3\wX, \a3\wX, \b3\wX
-
-.endm
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "reduce.h"
-#include <stdint.h>
-#include <stdio.h>
-
-#include "NTT_params.h"
-#include "ntt.h"
-
-
-/*************************************************
-* Name: ntt
-*
-* Description: Forward NTT, in-place. No modular reduction is performed after
-* additions or subtractions. Output vector is in bitreversed order.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void ntt(int32_t a[N]) {
- NTT(a);
-}
-
-/*************************************************
-* Name: invntt_tomont
-*
-* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
-* In-place. No modular reductions after additions or
-* subtractions; input coefficients need to be smaller than
-* Q in absolute value. Output coefficient are smaller than Q in
-* absolute value.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void invntt_tomont(int32_t a[N]) {
- iNTT(a);
-}
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef NTT_H
-#define NTT_H
-#include "NTT_params.h"
-#include "params.h"
-#include <stdint.h>
-
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_top(int *des, const int *table, const int *_constants);
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_bot(int *des, const int *table, const int *_constants);
-
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_top(int *des, const int *table, const int *_constants);
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_bot(int *des, const int *table, const int *_constants);
-
-#define NTT(in) { \
- PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_top(in, streamlined_CT_negacyclic_table_Q1_extended, constants); \
- PQCLEAN_DILITHIUM5_AARCH64__asm_ntt_SIMD_bot(in, streamlined_CT_negacyclic_table_Q1_extended, constants); \
- }
-
-#define iNTT(in) { \
- PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_bot(in, streamlined_inv_CT_table_Q1_extended, constants); \
- PQCLEAN_DILITHIUM5_AARCH64__asm_intt_SIMD_top(in, streamlined_inv_CT_table_Q1_extended, constants); \
- }
-
-#define ntt DILITHIUM_NAMESPACE(ntt)
-void ntt(int32_t a[ARRAY_N]);
-#define invntt_tomont DILITHIUM_NAMESPACE(invntt_tomont)
-void invntt_tomont(int32_t a[ARRAY_N]);
-
-static const int constants[16] = {
- Q1, -Q1prime, RmodQ1_prime_half, RmodQ1_doubleprime,
- invNQ1R2modQ1_prime_half,
- invNQ1R2modQ1_doubleprime,
- invNQ1_final_R2modQ1_prime_half,
- invNQ1_final_R2modQ1_doubleprime
-};
-
-static const int streamlined_CT_negacyclic_table_Q1_extended[(NTT_N + (1 << 0) + (1 << 4)) << 1] = {
- 0, 0, -915382907, -3572223, 964937599, 3765607, 963888510, 3761513, -820383522, -3201494, -738955404, -2883726, -806080660, -3145678, -820367122, -3201430, -154181397, -601683, 907762539, 3542485, 687336873, 2682288, 545785280, 2129892, 964747974, 3764867, -257592709, -1005239, 142848732, 557458, -312926867, -1221177, 0, 0, -863652652, -3370349, 923069133, 3602218, 815613168, 3182878, 787459213, 3073009, 327391679, 1277625, -675340520, -2635473, 987079667, 3852015, 449207, 1753, -495951789, -1935420, -681503850, -2659525, -373072124, -1455890, 681730119, 2660408, -456183549, -1780227, -15156688, -59148, 710479343, 2772600, 0, 0, -1041158200, -4063053, 702264730, 2740543, -919027554, -3586446, 1071989969, 4183372, -825844983, -3222807, -799869667, -3121440, -70227934, -274060, 302950022, 1182243, 22347069, 87208, 163212680, 636927, -1016110510, -3965306, -1013916752, -3956745, -588452222, -2296397, -841760171, -3284915, -952468207, -3716946, 0, 0, 682491182, 2663378, -797147778, -3110818, 538486762, 2101410, 642926661, 2508980, 519705671, 2028118, 496502727, 1937570, -977780347, -3815725, -7126831, -27812, 210776307, 822541, 258649997, 1009365, -628875181, -2454145, -507246529, -1979497, 409185979, 1596822, -1013967746, -3956944, -963363710, -3759465, 0, 0, -429120452, -1674615, 949361686, 3704823, 297218217, 1159875, 720393920, 2811291, -764594519, -2983781, -284313712, -1109516, 1065510939, 4158088, -431820817, -1685153, -873958779, -3410568, 686309310, 2678278, -965793731, -3768948, -909946047, -3551006, 162963861, 635956, -64176841, -250446, -629190881, -2455377, 0, 0, -903139016, -3524442, 101000509, 394148, 237992130, 928749, 391567239, 1528066, 123678909, 482649, 294395108, 1148858, -759080783, -2962264, -1062481036, -4146264, -454226054, -1772588, 561940831, 2192938, -442566669, -1727088, 611800717, 2387513, -925511710, -3611750, -68791907, -268456, -814992530, -3180456, 0, 0, -111244624, -434125, 280713909, 1095468, -898510625, -3506380, -144935890, -565603, 43482586, 169688, 631001801, 2462444, -854436357, -3334383, 960233614, 3747250, 588375860, 2296099, 317727459, 1239911, -983611064, -3838479, 818892658, 3195676, 677264190, 2642980, 321386456, 1254190, -3181859, -12417, 0, 0, 173376332, 676590, 530906624, 2071829, -1029866791, -4018989, -1067647297, -4166425, -893898890, -3488383, 509377762, 1987814, -819295484, -3197248, 768294260, 2998219, 36345249, 141835, -22883400, -89301, 643961400, 2513018, -347191365, -1354892, 157142369, 613238, -335754661, -1310261, -568482643, -2218467, 0, 0, -342333886, -1335936, 830756018, 3241972, 552488273, 2156050, 444930577, 1736313, 60323094, 235407, -832852657, -3250154, 834980303, 3258457, -117552223, -458740, -492511373, -1921994, 1035301089, 4040196, -889718424, -3472069, 522531086, 2039144, -481719139, -1879878, -209807681, -818761, -558360247, -2178965, 0, 0, -827143915, -3227876, 875112161, 3415069, 450833045, 1759347, -660934133, -2579253, 458160776, 1787943, -612717067, -2391089, -577774276, -2254727, -415984810, -1623354, 539479988, 2105286, -608441020, -2374402, -521163479, -2033807, 150224382, 586241, -302276083, -1179613, 135295244, 527981, -702999655, -2743411, 0, 0, 439288460, 1714295, -209493775, -817536, -915957677, -3574466, 892316032, 3482206, -1071872863, -4182915, -333129378, -1300016, -605279149, -2362063, -378477722, -1476985, 510974714, 1994046, 638402564, 2491325, -356997292, -1393159, 130156402, 507927, -304395785, -1187885, -185731180, -724804, -470097680, -1834526, 0, 0, 628833668, 2453983, 962678241, 3756790, -496048908, -1935799, -337655269, -1317678, 630730945, 2461387, 777970524, 3035980, 159173408, 621164, -777397036, -3033742, -86720197, -338420, 678549029, 2647994, 771248568, 3009748, -669544140, -2612853, 1063046068, 4148469, 192079267, 749577, -1030830548, -4022750, 0, 0, 374309300, 1460718, -439978542, -1716988, -1012201926, -3950053, 999753034, 3901472, -314332144, -1226661, 749740976, 2925816, 864652284, 3374250, 1020029345, 3980599, 658309618, 2569011, -413979908, -1615530, 441577800, 1723229, 426738094, 1665318, 519685171, 2028038, 298172236, 1163598, -863376927, -3369273, 0, 0, -164673562, -642628, -742437332, -2897314, 818041395, 3192354, 347590090, 1356448, -711287812, -2775755, 687588511, 2683270, -712065019, -2778788, 1023635298, 3994671, -3043996, -11879, -351195274, -1370517, 773976352, 3020393, 861908357, 3363542, 55063046, 214880, 139752717, 545376, -197425671, -770441, 0, 0, -918682129, -3585098, 142694469, 556856, 991769559, 3870317, -888589898, -3467665, 592665232, 2312838, -167401858, -653275, -117660617, -459163, 795799901, 3105558, -282732136, -1103344, 130212265, 508145, -141890356, -553718, 220412084, 860144, 879049958, 3430436, 35937555, 140244, -388001774, -1514152, 0, 0, 721508096, 2815639, 747568486, 2917338, 475038184, 1853806, 89383150, 348812, -84011120, -327848, 259126110, 1011223, -603268097, -2354215, -559928242, -2185084, 800464680, 3123762, 604333585, 2358373, -561979013, -2193087, -772445769, -3014420, -439933955, -1716814, 749801963, 2926054, -100631253, -392707, 0, 0, 585207070, 2283733, 857403734, 3345963, 476219497, 1858416, -978523985, -3818627, -492577742, -1922253, -573161516, -2236726, 447030292, 1744507, -77645096, -303005, 904878186, 3531229, -1018462631, -3974485, -967019376, -3773731, 486888731, 1900052, -200355636, -781875, 270210213, 1054478, -187430119, -731434, 0, 0
-};
-
-static const int streamlined_inv_CT_table_Q1_extended[(NTT_N + (1 << 0) + (1 << 4)) << 1] = {
- 0, 0, 915382907, 3572223, -963888510, -3761513, -964937599, -3765607, 820367122, 3201430, 806080660, 3145678, 738955404, 2883726, 820383522, 3201494, 312926867, 1221177, -142848732, -557458, 257592709, 1005239, -964747974, -3764867, -545785280, -2129892, -687336873, -2682288, -907762539, -3542485, 154181397, 601683, 0, 0, -585207070, -2283733, -476219497, -1858416, -857403734, -3345963, -447030292, -1744507, 573161516, 2236726, 492577742, 1922253, 978523985, 3818627, 187430119, 731434, -270210213, -1054478, 200355636, 781875, -486888731, -1900052, 967019376, 3773731, 1018462631, 3974485, -904878186, -3531229, 77645096, 303005, 0, 0, -721508096, -2815639, -475038184, -1853806, -747568486, -2917338, 603268097, 2354215, -259126110, -1011223, 84011120, 327848, -89383150, -348812, 100631253, 392707, -749801963, -2926054, 439933955, 1716814, 772445769, 3014420, 561979013, 2193087, -604333585, -2358373, -800464680, -3123762, 559928242, 2185084, 0, 0, 918682129, 3585098, -991769559, -3870317, -142694469, -556856, 117660617, 459163, 167401858, 653275, -592665232, -2312838, 888589898, 3467665, 388001774, 1514152, -35937555, -140244, -879049958, -3430436, -220412084, -860144, 141890356, 553718, -130212265, -508145, 282732136, 1103344, -795799901, -3105558, 0, 0, 164673562, 642628, -818041395, -3192354, 742437332, 2897314, 712065019, 2778788, -687588511, -2683270, 711287812, 2775755, -347590090, -1356448, 197425671, 770441, -139752717, -545376, -55063046, -214880, -861908357, -3363542, -773976352, -3020393, 351195274, 1370517, 3043996, 11879, -1023635298, -3994671, 0, 0, -374309300, -1460718, 1012201926, 3950053, 439978542, 1716988, -864652284, -3374250, -749740976, -2925816, 314332144, 1226661, -999753034, -3901472, 863376927, 3369273, -298172236, -1163598, -519685171, -2028038, -426738094, -1665318, -441577800, -1723229, 413979908, 1615530, -658309618, -2569011, -1020029345, -3980599, 0, 0, -628833668, -2453983, 496048908, 1935799, -962678241, -3756790, -159173408, -621164, -777970524, -3035980, -630730945, -2461387, 337655269, 1317678, 1030830548, 4022750, -192079267, -749577, -1063046068, -4148469, 669544140, 2612853, -771248568, -3009748, -678549029, -2647994, 86720197, 338420, 777397036, 3033742, 0, 0, -439288460, -1714295, 915957677, 3574466, 209493775, 817536, 605279149, 2362063, 333129378, 1300016, 1071872863, 4182915, -892316032, -3482206, 470097680, 1834526, 185731180, 724804, 304395785, 1187885, -130156402, -507927, 356997292, 1393159, -638402564, -2491325, -510974714, -1994046, 378477722, 1476985, 0, 0, 827143915, 3227876, -450833045, -1759347, -875112161, -3415069, 577774276, 2254727, 612717067, 2391089, -458160776, -1787943, 660934133, 2579253, 702999655, 2743411, -135295244, -527981, 302276083, 1179613, -150224382, -586241, 521163479, 2033807, 608441020, 2374402, -539479988, -2105286, 415984810, 1623354, 0, 0, 342333886, 1335936, -552488273, -2156050, -830756018, -3241972, -834980303, -3258457, 832852657, 3250154, -60323094, -235407, -444930577, -1736313, 558360247, 2178965, 209807681, 818761, 481719139, 1879878, -522531086, -2039144, 889718424, 3472069, -1035301089, -4040196, 492511373, 1921994, 117552223, 458740, 0, 0, -173376332, -676590, 1029866791, 4018989, -530906624, -2071829, 819295484, 3197248, -509377762, -1987814, 893898890, 3488383, 1067647297, 4166425, 568482643, 2218467, 335754661, 1310261, -157142369, -613238, 347191365, 1354892, -643961400, -2513018, 22883400, 89301, -36345249, -141835, -768294260, -2998219, 0, 0, 111244624, 434125, 898510625, 3506380, -280713909, -1095468, 854436357, 3334383, -631001801, -2462444, -43482586, -169688, 144935890, 565603, 3181859, 12417, -321386456, -1254190, -677264190, -2642980, -818892658, -3195676, 983611064, 3838479, -317727459, -1239911, -588375860, -2296099, -960233614, -3747250, 0, 0, 903139016, 3524442, -237992130, -928749, -101000509, -394148, 759080783, 2962264, -294395108, -1148858, -123678909, -482649, -391567239, -1528066, 814992530, 3180456, 68791907, 268456, 925511710, 3611750, -611800717, -2387513, 442566669, 1727088, -561940831, -2192938, 454226054, 1772588, 1062481036, 4146264, 0, 0, 429120452, 1674615, -297218217, -1159875, -949361686, -3704823, -1065510939, -4158088, 284313712, 1109516, 764594519, 2983781, -720393920, -2811291, 629190881, 2455377, 64176841, 250446, -162963861, -635956, 909946047, 3551006, 965793731, 3768948, -686309310, -2678278, 873958779, 3410568, 431820817, 1685153, 0, 0, -682491182, -2663378, -538486762, -2101410, 797147778, 3110818, 977780347, 3815725, -496502727, -1937570, -519705671, -2028118, -642926661, -2508980, 963363710, 3759465, 1013967746, 3956944, -409185979, -1596822, 507246529, 1979497, 628875181, 2454145, -258649997, -1009365, -210776307, -822541, 7126831, 27812, 0, 0, 1041158200, 4063053, 919027554, 3586446, -702264730, -2740543, 70227934, 274060, 799869667, 3121440, 825844983, 3222807, -1071989969, -4183372, 952468207, 3716946, 841760171, 3284915, 588452222, 2296397, 1013916752, 3956745, 1016110510, 3965306, -163212680, -636927, -22347069, -87208, -302950022, -1182243, 0, 0, 863652652, 3370349, -815613168, -3182878, -923069133, -3602218, -987079667, -3852015, 675340520, 2635473, -327391679, -1277625, -787459213, -3073009, -710479343, -2772600, 15156688, 59148, 456183549, 1780227, -681730119, -2660408, 373072124, 1455890, 681503850, 2659525, 495951789, 1935420, -449207, -1753, 0, 0
-};
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "packing.h"
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- pk[i] = rho[i];
- }
- pk += SEEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt1_pack(pk + i * POLYT1_PACKEDBYTES, &t1->vec[i]);
- }
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES]) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- rho[i] = pk[i];
- }
- pk += SEEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt1_unpack(&t1->vec[i], pk + i * POLYT1_PACKEDBYTES);
- }
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = rho[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = key[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sk[i] = tr[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s1->vec[i]);
- }
- sk += L * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyeta_pack(sk + i * POLYETA_PACKEDBYTES, &s2->vec[i]);
- }
- sk += K * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt0_pack(sk + i * POLYT0_PACKEDBYTES, &t0->vec[i]);
- }
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]) {
- unsigned int i;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- rho[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- key[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- tr[i] = sk[i];
- }
- sk += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyeta_unpack(&s1->vec[i], sk + i * POLYETA_PACKEDBYTES);
- }
- sk += L * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyeta_unpack(&s2->vec[i], sk + i * POLYETA_PACKEDBYTES);
- }
- sk += K * POLYETA_PACKEDBYTES;
-
- for (i = 0; i < K; ++i) {
- polyt0_unpack(&t0->vec[i], sk + i * POLYT0_PACKEDBYTES);
- }
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h) {
- unsigned int i, j, k;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- sig[i] = c[i];
- }
- sig += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyz_pack(sig + i * POLYZ_PACKEDBYTES, &z->vec[i]);
- }
- sig += L * POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for (i = 0; i < OMEGA + K; ++i) {
- sig[i] = 0;
- }
-
- k = 0;
- for (i = 0; i < K; ++i) {
- for (j = 0; j < N; ++j) {
- if (h->vec[i].coeffs[j] != 0) {
- sig[k++] = (uint8_t) j;
- }
- }
-
- sig[OMEGA + i] = (uint8_t) k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES]) {
- unsigned int i, j, k;
-
- for (i = 0; i < SEEDBYTES; ++i) {
- c[i] = sig[i];
- }
- sig += SEEDBYTES;
-
- for (i = 0; i < L; ++i) {
- polyz_unpack(&z->vec[i], sig + i * POLYZ_PACKEDBYTES);
- }
- sig += L * POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for (i = 0; i < K; ++i) {
- for (j = 0; j < N; ++j) {
- h->vec[i].coeffs[j] = 0;
- }
-
- if (sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA) {
- return 1;
- }
-
- for (j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if (j > k && sig[j] <= sig[j - 1]) {
- return 1;
- }
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for (j = k; j < OMEGA; ++j) {
- if (sig[j]) {
- return 1;
- }
- }
-
- return 0;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PACKING_H
-#define PACKING_H
-#include "params.h"
-#include "polyvec.h"
-#include <stdint.h>
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef PARAMS_H
-#define PARAMS_H
-
-//#define DILITHIUM_MODE 2
-//#define DILITHIUM_MODE 3
-#define DILITHIUM_MODE 5
-
-#define CRYPTO_NAMESPACETOP PQCLEAN_DILITHIUM5_AARCH64_crypto_sign
-#define CRYPTO_NAMESPACE(s) PQCLEAN_DILITHIUM5_AARCH64_##s
-#define DILITHIUM_NAMESPACETOP CRYPTO_NAMESPACETOP
-#define DILITHIUM_NAMESPACE(s) CRYPTO_NAMESPACE(s)
-
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define DILITHIUM_Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((DILITHIUM_Q-1)/32)
-#define OMEGA 75
-#define CRYPTO_ALGNAME "Dilithium5"
-
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (DILITHIUM_Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (DILITHIUM_Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#define POLYETA_PACKEDBYTES 96
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "poly.h"
-#include "reduce.h"
-#include "rounding.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-#include "fips202x2.h"
-
-#include "NTT_params.h"
-#include "ntt.h"
-
-static const int32_t montgomery_const[4] = {
- DILITHIUM_Q, DILITHIUM_QINV
-};
-
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_poly_reduce(int32_t *, const int32_t *);
-void poly_reduce(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM5_AARCH64__asm_poly_reduce(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_caddq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_poly_caddq(int32_t *, const int32_t *);
-void poly_caddq(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM5_AARCH64__asm_poly_caddq(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_freeze
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* standard representatives.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_poly_freeze(int32_t *, const int32_t *);
-void poly_freeze(poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM5_AARCH64__asm_poly_freeze(a->coeffs, montgomery_const);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = a->coeffs[i] - b->coeffs[i];
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- a->coeffs[i] <<= D;
- }
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_tomont(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_poly_pointwise_montgomery(int32_t *des, const int32_t *src1, const int32_t *src2, const int32_t *table);
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM5_AARCH64__asm_poly_pointwise_montgomery(c->coeffs, a->coeffs, b->coeffs, montgomery_const);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_poly_power2round(int32_t *, int32_t *, const int32_t *);
-void poly_power2round(poly *a1, poly *a0, const poly *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM5_AARCH64__asm_poly_power2round(a1->coeffs, a0->coeffs, a->coeffs);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- a1->coeffs[i] = decompose(&a0->coeffs[i], a->coeffs[i]);
- }
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint polynomial. The coefficients of which indicate
-* whether the low bits of the corresponding coefficient of
-* the input polynomial overflow into the high bits.
-*
-* Arguments: - poly *h: pointer to output hint polynomial
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
- unsigned int i, s = 0;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- h->coeffs[i] = make_hint(a0->coeffs[i], a1->coeffs[i]);
- s += h->coeffs[i];
- }
-
- DBENCH_STOP(*tround);
- return s;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N; ++i) {
- b->coeffs[i] = use_hint(a->coeffs[i], h->coeffs[i]);
- }
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input coefficients were reduced by reduce32().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int32_t t;
- DBENCH_START();
-
- if (B > (DILITHIUM_Q - 1) / 8) {
- return 1;
- }
-
- /* It is ok to leak which coefficient violates the bound since
- the probability for each coefficient is independent of secret
- data but we must not leak the sign of the centralized representative. */
- for (i = 0; i < N; ++i) {
- /* Absolute value */
- t = a->coeffs[i] >> 31;
- t = a->coeffs[i] - (t & 2 * a->coeffs[i]);
-
- if (t >= B) {
- DBENCH_STOP(*tsample);
- return 1;
- }
- }
-
- DBENCH_STOP(*tsample);
- return 0;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen) {
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while (ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if (t < DILITHIUM_Q) {
- a[ctr++] = t;
- }
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-
-#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce) {
- unsigned int i, ctr, off;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
- stream128_state state;
-
- stream128_init(&state, seed, nonce);
- stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state);
-
- ctr = rej_uniform(a->coeffs, N, buf, buflen);
-
- while (ctr < N) {
- off = buflen % 3;
- for (i = 0; i < off; ++i) {
- buf[i] = buf[buflen - off + i];
- }
-
- stream128_squeezeblocks(buf + off, 1, &state);
- buflen = STREAM128_BLOCKBYTES + off;
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
- }
- stream128_release(&state);
-}
-
-void poly_uniformx2(poly *a0, poly *a1,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0, uint16_t nonce1) {
- unsigned int ctr0, ctr1;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES;
- uint8_t buf0[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
- uint8_t buf1[POLY_UNIFORM_NBLOCKS * STREAM128_BLOCKBYTES + 2];
-
- keccakx2_state statex2;
- dilithium_shake128x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake128x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_NBLOCKS, &statex2);
-
- ctr0 = rej_uniform(a0->coeffs, N, buf0, buflen);
- ctr1 = rej_uniform(a1->coeffs, N, buf1, buflen);
-
- while (ctr0 < N || ctr1 < N) {
- shake128x2_squeezeblocks(buf0, buf1, 1, &statex2);
- ctr0 += rej_uniform(a0->coeffs + ctr0, N - ctr0, buf0, buflen);
- ctr1 += rej_uniform(a1->coeffs + ctr1, N - ctr1, buf1, buflen);
- }
-
-
-}
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen) {
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while (ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-
- if (t0 < 15) {
- t0 = t0 - (205 * t0 >> 10) * 5;
- a[ctr++] = 2 - t0;
- }
- if (t1 < 15 && ctr < len) {
- t1 = t1 - (205 * t1 >> 10) * 5;
- a[ctr++] = 2 - t1;
- }
-
-
-
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce) {
- unsigned int ctr;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr = rej_eta(a->coeffs, N, buf, buflen);
-
- while (ctr < N) {
- stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
- }
- stream256_release(&state);
-}
-
-void poly_uniform_etax2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1) {
- unsigned int ctr0, ctr1;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES;
-
- uint8_t buf0[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
- uint8_t buf1[POLY_UNIFORM_ETA_NBLOCKS * STREAM256_BLOCKBYTES];
-
- keccakx2_state statex2;
-
- dilithium_shake256x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake256x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_ETA_NBLOCKS, &statex2);
-
- ctr0 = rej_eta(a0->coeffs, N, buf0, buflen);
- ctr1 = rej_eta(a1->coeffs, N, buf1, buflen);
-
- while (ctr0 < N || ctr1 < N) {
- shake256x2_squeezeblocks(buf0, buf1, 1, &statex2);
- ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf0, STREAM256_BLOCKBYTES);
- ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf1, STREAM256_BLOCKBYTES);
- }
-}
-
-/*************************************************
-* Name: poly_uniform_gamma1m1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce) {
- uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- stream256_release(&state);
- polyz_unpack(a, buf);
-}
-
-void poly_uniform_gamma1x2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1) {
-
- uint8_t buf0[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
- uint8_t buf1[POLY_UNIFORM_GAMMA1_NBLOCKS * STREAM256_BLOCKBYTES];
-
- keccakx2_state statex2;
-
- dilithium_shake256x2_stream_init(&statex2, seed, nonce0, nonce1);
- shake256x2_squeezeblocks(buf0, buf1, POLY_UNIFORM_GAMMA1_NBLOCKS, &statex2);
-
- polyz_unpack(a0, buf0);
- polyz_unpack(a1, buf1);
-
-}
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- uint8_t buf[SHAKE256_RATE];
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf, sizeof buf, &state);
-
- signs = 0;
- for (i = 0; i < 8; ++i) {
- signs |= (uint64_t)buf[i] << 8 * i;
- }
- pos = 8;
-
- for (i = 0; i < N; ++i) {
- c->coeffs[i] = 0;
- }
- for (i = N - TAU; i < N; ++i) {
- do {
- if (pos >= SHAKE256_RATE) {
- shake256_inc_squeeze(buf, sizeof buf, &state);
- pos = 0;
- }
-
- b = buf[pos++];
- } while (b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2 * (signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-
- for (i = 0; i < N / 8; ++i) {
- t[0] = ETA - a->coeffs[8 * i + 0];
- t[1] = ETA - a->coeffs[8 * i + 1];
- t[2] = ETA - a->coeffs[8 * i + 2];
- t[3] = ETA - a->coeffs[8 * i + 3];
- t[4] = ETA - a->coeffs[8 * i + 4];
- t[5] = ETA - a->coeffs[8 * i + 5];
- t[6] = ETA - a->coeffs[8 * i + 6];
- t[7] = ETA - a->coeffs[8 * i + 7];
-
- r[3 * i + 0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3 * i + 1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3 * i + 2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-
- for (i = 0; i < N / 8; ++i) {
- r->coeffs[8 * i + 0] = (a[3 * i + 0] >> 0) & 7;
- r->coeffs[8 * i + 1] = (a[3 * i + 0] >> 3) & 7;
- r->coeffs[8 * i + 2] = ((a[3 * i + 0] >> 6) | (a[3 * i + 1] << 2)) & 7;
- r->coeffs[8 * i + 3] = (a[3 * i + 1] >> 1) & 7;
- r->coeffs[8 * i + 4] = (a[3 * i + 1] >> 4) & 7;
- r->coeffs[8 * i + 5] = ((a[3 * i + 1] >> 7) | (a[3 * i + 2] << 1)) & 7;
- r->coeffs[8 * i + 6] = (a[3 * i + 2] >> 2) & 7;
- r->coeffs[8 * i + 7] = (a[3 * i + 2] >> 5) & 7;
-
- r->coeffs[8 * i + 0] = ETA - r->coeffs[8 * i + 0];
- r->coeffs[8 * i + 1] = ETA - r->coeffs[8 * i + 1];
- r->coeffs[8 * i + 2] = ETA - r->coeffs[8 * i + 2];
- r->coeffs[8 * i + 3] = ETA - r->coeffs[8 * i + 3];
- r->coeffs[8 * i + 4] = ETA - r->coeffs[8 * i + 4];
- r->coeffs[8 * i + 5] = ETA - r->coeffs[8 * i + 5];
- r->coeffs[8 * i + 6] = ETA - r->coeffs[8 * i + 6];
- r->coeffs[8 * i + 7] = ETA - r->coeffs[8 * i + 7];
- }
-
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N / 4; ++i) {
- r[5 * i + 0] = (uint8_t) (a->coeffs[4 * i + 0] >> 0);
- r[5 * i + 1] = (uint8_t) ((a->coeffs[4 * i + 0] >> 8) | (a->coeffs[4 * i + 1] << 2));
- r[5 * i + 2] = (uint8_t) ((a->coeffs[4 * i + 1] >> 6) | (a->coeffs[4 * i + 2] << 4));
- r[5 * i + 3] = (uint8_t) ((a->coeffs[4 * i + 2] >> 4) | (a->coeffs[4 * i + 3] << 6));
- r[5 * i + 4] = (uint8_t) (a->coeffs[4 * i + 3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_10_to_32(int32_t *, const uint8_t *);
-void polyt1_unpack(poly *r, const uint8_t *a) {
- DBENCH_START();
-
- PQCLEAN_DILITHIUM5_AARCH64__asm_10_to_32(r->coeffs, a);
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for (i = 0; i < N / 8; ++i) {
- t[0] = (1 << (D - 1)) - a->coeffs[8 * i + 0];
- t[1] = (1 << (D - 1)) - a->coeffs[8 * i + 1];
- t[2] = (1 << (D - 1)) - a->coeffs[8 * i + 2];
- t[3] = (1 << (D - 1)) - a->coeffs[8 * i + 3];
- t[4] = (1 << (D - 1)) - a->coeffs[8 * i + 4];
- t[5] = (1 << (D - 1)) - a->coeffs[8 * i + 5];
- t[6] = (1 << (D - 1)) - a->coeffs[8 * i + 6];
- t[7] = (1 << (D - 1)) - a->coeffs[8 * i + 7];
-
- r[13 * i + 0] = (uint8_t) t[0];
- r[13 * i + 1] = (uint8_t) (t[0] >> 8);
- r[13 * i + 1] |= (uint8_t) (t[1] << 5);
- r[13 * i + 2] = (uint8_t) (t[1] >> 3);
- r[13 * i + 3] = (uint8_t) (t[1] >> 11);
- r[13 * i + 3] |= (uint8_t) (t[2] << 2);
- r[13 * i + 4] = (uint8_t) (t[2] >> 6);
- r[13 * i + 4] |= (uint8_t) (t[3] << 7);
- r[13 * i + 5] = (uint8_t) (t[3] >> 1);
- r[13 * i + 6] = (uint8_t) (t[3] >> 9);
- r[13 * i + 6] |= (uint8_t) (t[4] << 4);
- r[13 * i + 7] = (uint8_t) (t[4] >> 4);
- r[13 * i + 8] = (uint8_t) (t[4] >> 12);
- r[13 * i + 8] |= (uint8_t) (t[5] << 1);
- r[13 * i + 9] = (uint8_t) (t[5] >> 7);
- r[13 * i + 9] |= (uint8_t) (t[6] << 6);
- r[13 * i + 10] = (uint8_t) (t[6] >> 2);
- r[13 * i + 11] = (uint8_t) (t[6] >> 10);
- r[13 * i + 11] |= (uint8_t) (t[7] << 3);
- r[13 * i + 12] = (uint8_t) (t[7] >> 5);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for (i = 0; i < N / 8; ++i) {
- r->coeffs[8 * i + 0] = a[13 * i + 0];
- r->coeffs[8 * i + 0] |= (uint32_t)a[13 * i + 1] << 8;
- r->coeffs[8 * i + 0] &= 0x1FFF;
-
- r->coeffs[8 * i + 1] = a[13 * i + 1] >> 5;
- r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 2] << 3;
- r->coeffs[8 * i + 1] |= (uint32_t)a[13 * i + 3] << 11;
- r->coeffs[8 * i + 1] &= 0x1FFF;
-
- r->coeffs[8 * i + 2] = a[13 * i + 3] >> 2;
- r->coeffs[8 * i + 2] |= (uint32_t)a[13 * i + 4] << 6;
- r->coeffs[8 * i + 2] &= 0x1FFF;
-
- r->coeffs[8 * i + 3] = a[13 * i + 4] >> 7;
- r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 5] << 1;
- r->coeffs[8 * i + 3] |= (uint32_t)a[13 * i + 6] << 9;
- r->coeffs[8 * i + 3] &= 0x1FFF;
-
- r->coeffs[8 * i + 4] = a[13 * i + 6] >> 4;
- r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 7] << 4;
- r->coeffs[8 * i + 4] |= (uint32_t)a[13 * i + 8] << 12;
- r->coeffs[8 * i + 4] &= 0x1FFF;
-
- r->coeffs[8 * i + 5] = a[13 * i + 8] >> 1;
- r->coeffs[8 * i + 5] |= (uint32_t)a[13 * i + 9] << 7;
- r->coeffs[8 * i + 5] &= 0x1FFF;
-
- r->coeffs[8 * i + 6] = a[13 * i + 9] >> 6;
- r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 10] << 2;
- r->coeffs[8 * i + 6] |= (uint32_t)a[13 * i + 11] << 10;
- r->coeffs[8 * i + 6] &= 0x1FFF;
-
- r->coeffs[8 * i + 7] = a[13 * i + 11] >> 3;
- r->coeffs[8 * i + 7] |= (uint32_t)a[13 * i + 12] << 5;
- r->coeffs[8 * i + 7] &= 0x1FFF;
-
- r->coeffs[8 * i + 0] = (1 << (D - 1)) - r->coeffs[8 * i + 0];
- r->coeffs[8 * i + 1] = (1 << (D - 1)) - r->coeffs[8 * i + 1];
- r->coeffs[8 * i + 2] = (1 << (D - 1)) - r->coeffs[8 * i + 2];
- r->coeffs[8 * i + 3] = (1 << (D - 1)) - r->coeffs[8 * i + 3];
- r->coeffs[8 * i + 4] = (1 << (D - 1)) - r->coeffs[8 * i + 4];
- r->coeffs[8 * i + 5] = (1 << (D - 1)) - r->coeffs[8 * i + 5];
- r->coeffs[8 * i + 6] = (1 << (D - 1)) - r->coeffs[8 * i + 6];
- r->coeffs[8 * i + 7] = (1 << (D - 1)) - r->coeffs[8 * i + 7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
- #if GAMMA1 == (1 << 17)
-
- for (i = 0; i < N / 4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4 * i + 0];
- t[1] = GAMMA1 - a->coeffs[4 * i + 1];
- t[2] = GAMMA1 - a->coeffs[4 * i + 2];
- t[3] = GAMMA1 - a->coeffs[4 * i + 3];
-
- r[9 * i + 0] = t[0];
- r[9 * i + 1] = t[0] >> 8;
- r[9 * i + 2] = t[0] >> 16;
- r[9 * i + 2] |= t[1] << 2;
- r[9 * i + 3] = t[1] >> 6;
- r[9 * i + 4] = t[1] >> 14;
- r[9 * i + 4] |= t[2] << 4;
- r[9 * i + 5] = t[2] >> 4;
- r[9 * i + 6] = t[2] >> 12;
- r[9 * i + 6] |= t[3] << 6;
- r[9 * i + 7] = t[3] >> 2;
- r[9 * i + 8] = t[3] >> 10;
- }
-
- #elif GAMMA1 == (1 << 19)
-
- for (i = 0; i < N / 2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2 * i + 0];
- t[1] = GAMMA1 - a->coeffs[2 * i + 1];
-
- r[5 * i + 0] = t[0];
- r[5 * i + 1] = t[0] >> 8;
- r[5 * i + 2] = t[0] >> 16;
- r[5 * i + 2] |= t[1] << 4;
- r[5 * i + 3] = t[1] >> 4;
- r[5 * i + 4] = t[1] >> 12;
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyz_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- #if GAMMA1 == (1 << 17)
-
- for (i = 0; i < N / 4; ++i) {
- r->coeffs[4 * i + 0] = a[9 * i + 0];
- r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 1] << 8;
- r->coeffs[4 * i + 0] |= (uint32_t)a[9 * i + 2] << 16;
- r->coeffs[4 * i + 0] &= 0x3FFFF;
-
- r->coeffs[4 * i + 1] = a[9 * i + 2] >> 2;
- r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 3] << 6;
- r->coeffs[4 * i + 1] |= (uint32_t)a[9 * i + 4] << 14;
- r->coeffs[4 * i + 1] &= 0x3FFFF;
-
- r->coeffs[4 * i + 2] = a[9 * i + 4] >> 4;
- r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 5] << 4;
- r->coeffs[4 * i + 2] |= (uint32_t)a[9 * i + 6] << 12;
- r->coeffs[4 * i + 2] &= 0x3FFFF;
-
- r->coeffs[4 * i + 3] = a[9 * i + 6] >> 6;
- r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 7] << 2;
- r->coeffs[4 * i + 3] |= (uint32_t)a[9 * i + 8] << 10;
- r->coeffs[4 * i + 3] &= 0x3FFFF;
-
- r->coeffs[4 * i + 0] = GAMMA1 - r->coeffs[4 * i + 0];
- r->coeffs[4 * i + 1] = GAMMA1 - r->coeffs[4 * i + 1];
- r->coeffs[4 * i + 2] = GAMMA1 - r->coeffs[4 * i + 2];
- r->coeffs[4 * i + 3] = GAMMA1 - r->coeffs[4 * i + 3];
- }
-
- #elif GAMMA1 == (1 << 19)
-
- for (i = 0; i < N / 2; ++i) {
- r->coeffs[2 * i + 0] = a[5 * i + 0];
- r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 1] << 8;
- r->coeffs[2 * i + 0] |= (uint32_t)a[5 * i + 2] << 16;
- r->coeffs[2 * i + 0] &= 0xFFFFF;
-
- r->coeffs[2 * i + 1] = a[5 * i + 2] >> 4;
- r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 3] << 4;
- r->coeffs[2 * i + 1] |= (uint32_t)a[5 * i + 4] << 12;
- r->coeffs[2 * i + 0] &= 0xFFFFF;
-
- r->coeffs[2 * i + 0] = GAMMA1 - r->coeffs[2 * i + 0];
- r->coeffs[2 * i + 1] = GAMMA1 - r->coeffs[2 * i + 1];
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyw1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- #if GAMMA2 == (DILITHIUM_Q-1)/88
-
- for (i = 0; i < N / 4; ++i) {
- r[3 * i + 0] = a->coeffs[4 * i + 0];
- r[3 * i + 0] |= a->coeffs[4 * i + 1] << 6;
- r[3 * i + 1] = a->coeffs[4 * i + 1] >> 2;
- r[3 * i + 1] |= a->coeffs[4 * i + 2] << 4;
- r[3 * i + 2] = a->coeffs[4 * i + 2] >> 4;
- r[3 * i + 2] |= a->coeffs[4 * i + 3] << 2;
- }
-
- #elif GAMMA2 == (DILITHIUM_Q-1)/32
-
- for (i = 0; i < N / 2; ++i) {
- r[i] = a->coeffs[2 * i + 0] | (a->coeffs[2 * i + 1] << 4);
- }
-
- #else
-
-#error "No parameter specified!"
-
- #endif
-
- DBENCH_STOP(*tpack);
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef POLY_H
-#define POLY_H
-#include "params.h"
-#include <stdint.h>
-
-typedef struct {
- int32_t coeffs[N];
-} poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-#define poly_freeze DILITHIUM_NAMESPACE(poly_freeze)
-void poly_freeze(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-#define poly_uniformx2 DILITHIUM_NAMESPACE(poly_uniformx2)
-void poly_uniformx2(poly *a0, poly *a1,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_etax2 DILITHIUM_NAMESPACE(poly_uniform_etax2)
-void poly_uniform_etax2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_gamma1x2 DILITHIUM_NAMESPACE(poly_uniform_gamma1x2)
-void poly_uniform_gamma1x2(poly *a0, poly *a1,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0, uint16_t nonce1);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t *r, const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t *a);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t *r, const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t *a);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t *r, const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t *a);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t *r, const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include <stdint.h>
-
-#include "reduce.h"
-
-static const int32_t l_montgomery_const[4] = {
- DILITHIUM_Q, DILITHIUM_QINV
-};
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
-
- for (j = 0; j < L; ++j) {
- for (i = 0; i < K; i += 2) {
- poly_uniformx2(&mat[i + 0].vec[j], &mat[i + 1].vec[j], rho, (uint16_t) ((i << 8) + j), (uint16_t) (((i + 1) << 8) + j));
- }
- }
-}
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
- }
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_uniform_eta(&v->vec[i], seed, nonce++);
- }
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < L - 1; i += 2) {
- poly_uniform_gamma1x2(&v->vec[i + 0], &v->vec[i + 1], seed, (uint16_t) (L * nonce + i + 0), (uint16_t) (L * nonce + i + 1));
- }
- if (L & 1) {
- poly_uniform_gamma1(&v->vec[i], seed, (uint16_t) (L * nonce + L - 1));
- }
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_reduce(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_freeze
-*
-* Description: Reduce coefficients of polynomials in vector of length L
-* to standard representatives.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_freeze(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_freeze(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_ntt(&v->vec[i]);
- }
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_invntt_tomont(&v->vec[i]);
- }
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-extern void PQCLEAN_DILITHIUM5_AARCH64__asm_polyvecl_pointwise_acc_montgomery(int32_t *, const int32_t *, const int32_t *, const int32_t *);
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v) {
- PQCLEAN_DILITHIUM5_AARCH64__asm_polyvecl_pointwise_acc_montgomery(w->coeffs, u->vec[0].coeffs, v->vec[0].coeffs, l_montgomery_const);
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for (i = 0; i < L; ++i) {
- if (poly_chknorm(&v->vec[i], bound)) {
- return 1;
- }
- }
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_uniform_eta(&v->vec[i], seed, nonce++);
- }
-
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_reduce(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_caddq(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_freeze
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to standard representatives.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_freeze(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_freeze(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_shiftl(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_ntt(&v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_invntt_tomont(&v->vec[i]);
- }
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
- }
-}
-
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- if (poly_chknorm(&v->vec[i], bound)) {
- return 1;
- }
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
- }
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - polyveck *h: pointer to output vector
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1) {
- unsigned int i, s = 0;
-
- for (i = 0; i < K; ++i) {
- s += poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
- }
-
- return s;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
- }
-}
-
-void polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for (i = 0; i < K; ++i) {
- polyw1_pack(&r[i * POLYW1_PACKEDBYTES], &w1->vec[i]);
- }
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef POLYVEC_H
-#define POLYVEC_H
-#include "params.h"
-#include "poly.h"
-#include <stdint.h>
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_freeze DILITHIUM_NAMESPACE(polyvecl_freeze)
-void polyvecl_freeze(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-#define polyveck_freeze DILITHIUM_NAMESPACE(polyveck_freeze)
-void polyveck_freeze(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K * POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "params.h"
-#include "reduce.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: montgomery_reduce
-*
-* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
-* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
-*
-* Arguments: - int64_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t montgomery_reduce(int64_t a) {
- int32_t t;
-
- t = (int32_t)((uint64_t)a * (uint64_t)DILITHIUM_QINV);
- t = (a - (int64_t)t * DILITHIUM_Q) >> 32;
- return t;
-}
-
-/*************************************************
-* Name: reduce32
-*
-* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t reduce32(int32_t a) {
- int32_t t;
-
- t = (a + (1 << 22)) >> 23;
- t = a - t * DILITHIUM_Q;
- return t;
-}
-
-/*************************************************
-* Name: caddq
-*
-* Description: Add Q if input coefficient is negative.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t caddq(int32_t a) {
- a += (a >> 31) & DILITHIUM_Q;
- return a;
-}
-
-/*************************************************
-* Name: freeze
-*
-* Description: For finite field element a, compute standard
-* representative r = a mod^+ Q.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t freeze(int32_t a) {
- a = reduce32(a);
- a = caddq(a);
- return a;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef REDUCE_H
-#define REDUCE_H
-#include "params.h"
-#include <stdint.h>
-
-#define DILITHIUM_QINV 58728449 // q^(-1) mod 2^32
-
-#define montgomery_reduce DILITHIUM_NAMESPACE(montgomery_reduce)
-int32_t montgomery_reduce(int64_t a);
-
-#define reduce32 DILITHIUM_NAMESPACE(reduce32)
-int32_t reduce32(int32_t a);
-
-#define caddq DILITHIUM_NAMESPACE(caddq)
-int32_t caddq(int32_t a);
-
-#define freeze DILITHIUM_NAMESPACE(freeze)
-int32_t freeze(int32_t a);
-
-#endif
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#include "params.h"
-#include "rounding.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field element a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be standard representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t power2round(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + (1 << (D - 1)) - 1) >> D;
- *a0 = a - (a1 << D);
- return a1;
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low bits a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard
-* representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t decompose(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + 127) >> 7;
- #if GAMMA2 == (DILITHIUM_Q-1)/32
-
- a1 = (a1 * 1025 + (1 << 21)) >> 22;
- a1 &= 15;
-
- #elif GAMMA2 == (DILITHIUM_Q-1)/88
-
- a1 = (a1 * 11275 + (1 << 23)) >> 24;
- a1 ^= ((43 - a1) >> 31) & a1;
-
- #else
-
-#error "No parameter specified"
-
- #endif
-
- *a0 = a - a1 * 2 * GAMMA2;
- *a0 -= (((DILITHIUM_Q - 1) / 2 - *a0) >> 31) & DILITHIUM_Q;
- return a1;
-}
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute hint bit indicating whether the low bits of the
-* input element overflow into the high bits.
-*
-* Arguments: - int32_t a0: low bits of input element
-* - int32_t a1: high bits of input element
-*
-* Returns 1 if overflow.
-**************************************************/
-unsigned int make_hint(int32_t a0, int32_t a1) {
- if (a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0)) {
- return 1;
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high bits according to hint.
-*
-* Arguments: - int32_t a: input element
-* - unsigned int hint: hint bit
-*
-* Returns corrected high bits.
-**************************************************/
-int32_t use_hint(int32_t a, unsigned int hint) {
- int32_t a0, a1;
-
- a1 = decompose(&a0, a);
- if (hint == 0) {
- return a1;
- }
-
- #if GAMMA2 == (DILITHIUM_Q-1)/32
-
- if (a0 > 0) {
- return (a1 + 1) & 15;
- }
- return (a1 - 1) & 15;
- #elif GAMMA2 == (DILITHIUM_Q-1)/88
-
- if (a0 > 0) {
- return (a1 == 43) ? 0 : a1 + 1;
- }
- return (a1 == 0) ? 43 : a1 - 1;
- #endif
-
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef ROUNDING_H
-#define ROUNDING_H
-#include "params.h"
-#include <stdint.h>
-
-#define power2round DILITHIUM_NAMESPACE(power2round)
-int32_t power2round(int32_t *a0, int32_t a);
-
-#define decompose DILITHIUM_NAMESPACE(decompose)
-int32_t decompose(int32_t *a0, int32_t a);
-
-#define make_hint DILITHIUM_NAMESPACE(make_hint)
-unsigned int make_hint(int32_t a0, int32_t a1);
-
-#define use_hint DILITHIUM_NAMESPACE(use_hint)
-int32_t use_hint(int32_t a, unsigned int hint);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "fips202.h"
-#include "packing.h"
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include "randombytes.h"
-#include "sign.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seedbuf[2 * SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
- const uint8_t *rho, *rhoprime, *key;
- polyvecl mat[K];
- polyvecl s1, s1hat;
- polyveck s2, t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2 * SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Expand matrix */
- polyvec_matrix_expand(mat, rho);
-
- /* Sample short vectors s1 and s2 */
- polyvecl_uniform_eta(&s1, rhoprime, 0);
- polyveck_uniform_eta(&s2, rhoprime, L);
-
- /* Matrix-vector multiplication */
- s1hat = s1;
- polyvecl_ntt(&s1hat);
- polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat);
- polyveck_reduce(&t1);
- polyveck_invntt_tomont(&t1);
-
- /* Add error vector s2 */
- polyveck_add(&t1, &t1, &s2);
-
- /* Extract t1 and write public key */
- polyveck_caddq(&t1);
- polyveck_power2round(&t1, &t0, &t1);
- pack_pk(pk, rho, &t1);
-
- /* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk) {
- unsigned int n;
- uint8_t seedbuf[3 * SEEDBYTES + 2 * CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint16_t nonce = 0;
- polyvecl mat[K], s1, y, z;
- polyveck t0, s2, w1, w0, h;
- poly cp;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- // liboqs uses randomized signing for the reference and
- // avx2 implementations of dilithium. pqclean currently
- // doesn't support randomized signing, so this is patched
- // in. If/when pqclean adds randomized signing to dilithium
- // this will need to be updated.
- randombytes(rhoprime, CRHBYTES);
- //shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-rej:
- /* Sample intermediate vector y */
- polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
-
- /* Matrix-vector multiplication */
- z = y;
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K * POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- poly_challenge(&cp, sig);
- poly_ntt(&cp);
-
- /* Compute z, reject if it reveals secret */
- polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
- polyvecl_invntt_tomont(&z);
- polyvecl_add(&z, &z, &y);
- polyvecl_reduce(&z);
- if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
- goto rej;
- }
-
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
- polyveck_invntt_tomont(&h);
- polyveck_sub(&w0, &w0, &h);
- polyveck_reduce(&w0);
- if (polyveck_chknorm(&w0, GAMMA2 - BETA)) {
- goto rej;
- }
-
- /* Compute hints for w1 */
- polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
- polyveck_invntt_tomont(&h);
- polyveck_reduce(&h);
- if (polyveck_chknorm(&h, GAMMA2)) {
- goto rej;
- }
-
- polyveck_add(&w0, &w0, &h);
- n = polyveck_make_hint(&h, &w0, &w1);
- if (n > OMEGA) {
- goto rej;
- }
-
- /* Write signature */
- pack_sig(sig, sig, &z, &h);
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk) {
- size_t i;
-
- for (i = 0; i < mlen; ++i) {
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- }
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
- size_t siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pk) {
- unsigned int i;
- uint8_t buf[K * POLYW1_PACKEDBYTES];
- uint8_t rho[SEEDBYTES];
- uint8_t mu[CRHBYTES];
- uint8_t c[SEEDBYTES];
- uint8_t c2[SEEDBYTES];
- poly cp;
- polyvecl mat[K], z;
- polyveck t1, w1, h;
- shake256incctx state;
-
- if (siglen != CRYPTO_BYTES) {
- return -1;
- }
-
- unpack_pk(rho, &t1, pk);
- if (unpack_sig(c, &z, &h, sig)) {
- return -1;
- }
- if (polyvecl_chknorm(&z, GAMMA1 - BETA)) {
- return -1;
- }
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- /* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
- polyvec_matrix_expand(mat, rho);
-
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-
- poly_ntt(&cp);
- polyveck_shiftl(&t1);
- polyveck_ntt(&t1);
- polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
-
- polyveck_sub(&w1, &w1, &t1);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Reconstruct w1 */
- polyveck_caddq(&w1);
- polyveck_use_hint(&w1, &w1, &h);
- polyveck_pack_w1(buf, &w1);
-
- /* Call random oracle and verify challenge */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf, K * POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(c2, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for (i = 0; i < SEEDBYTES; ++i) {
- if (c[i] != c2[i]) {
- return -1;
- }
- }
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m,
- size_t *mlen,
- const uint8_t *sm,
- size_t smlen,
- const uint8_t *pk) {
- size_t i;
-
- if (smlen < CRYPTO_BYTES) {
- goto badsig;
- }
-
- *mlen = smlen - CRYPTO_BYTES;
- if (crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk)) {
- goto badsig;
- } else {
- /* All good, copy msg, return 0 */
- for (i = 0; i < *mlen; ++i) {
- m[i] = sm[CRYPTO_BYTES + i];
- }
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = (size_t) -1;
- for (i = 0; i < smlen; ++i) {
- m[i] = 0;
- }
-
- return -1;
-}
+++ /dev/null
-
-/*
- * This file is dual licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html)
- * or public domain at https://github.com/pq-crystals/dilithium
- */
-
-#ifndef SIGN_H
-#define SIGN_H
-#include "params.h"
-#include "poly.h"
-#include "polyvec.h"
-#include <stddef.h>
-#include <stdint.h>
-
-
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(crypto_sign_keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(crypto_sign_signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(crypto_sign_verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(crypto_sign_open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "fips202.h"
-#include "params.h"
-#include "symmetric.h"
-#include <stdint.h>
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce) {
- uint8_t t[2];
- t[0] = (uint8_t) nonce;
- t[1] = (uint8_t) (nonce >> 8);
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- uint8_t t[2];
- t[0] = (uint8_t) nonce;
- t[1] = (uint8_t) (nonce >> 8);
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
-
-void dilithium_shake128x2_stream_init(keccakx2_state *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce1, uint16_t nonce2) {
- unsigned int i;
- uint8_t extseed1[SEEDBYTES + 2 + 14];
- uint8_t extseed2[SEEDBYTES + 2 + 14];
-
- for (i = 0; i < SEEDBYTES; i++) {
- extseed1[i] = seed[i];
- extseed2[i] = seed[i];
- }
- extseed1[SEEDBYTES] = (uint8_t) nonce1;
- extseed1[SEEDBYTES + 1] = (uint8_t) (nonce1 >> 8);
-
- extseed2[SEEDBYTES ] = (uint8_t) nonce2;
- extseed2[SEEDBYTES + 1] = (uint8_t) (nonce2 >> 8);
-
- shake128x2_absorb(state, extseed1, extseed2, SEEDBYTES + 2);
-}
-
-void dilithium_shake256x2_stream_init(keccakx2_state *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce1, uint16_t nonce2) {
- unsigned int i;
- uint8_t extseed1[CRHBYTES + 2 + 14];
- uint8_t extseed2[CRHBYTES + 2 + 14];
-
- for (i = 0; i < CRHBYTES; i++) {
- extseed1[i] = seed[i];
- extseed2[i] = seed[i];
- }
- extseed1[CRHBYTES] = (uint8_t) nonce1;
- extseed1[CRHBYTES + 1] = (uint8_t) (nonce1 >> 8);
-
- extseed2[CRHBYTES ] = (uint8_t) nonce2;
- extseed2[CRHBYTES + 1] = (uint8_t) (nonce2 >> 8);
-
- shake256x2_absorb(state, extseed1, extseed2, CRHBYTES + 2);
-}
+++ /dev/null
-
-/*
- * This file was originally licensed
- * under Apache 2.0 (https://www.apache.org/licenses/LICENSE-2.0.html) or
- * public domain at https://github.com/pq-crystals/dilithium/tree/master/ref
- *
- * We choose
- * CC0 1.0 Universal or the following MIT License
- *
- * MIT License
- *
- * Copyright (c) 2023: Hanno Becker, Vincent Hwang, Matthias J. Kannwischer, Bo-Yin Yang, and Shang-Yi Yang
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-#include "fips202.h"
-#include "fips202x2.h"
-#include "params.h"
-#include <stdint.h>
-
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-
-#define dilithium_shake128x2_stream_init DILITHIUM_NAMESPACE(dilithium_shake128x2_stream_init)
-void dilithium_shake128x2_stream_init(keccakx2_state *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce1, uint16_t nonce2);
-#define dilithium_shake256x2_stream_init DILITHIUM_NAMESPACE(dilithium_shake256x2_stream_init)
-void dilithium_shake256x2_stream_init(keccakx2_state *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce1, uint16_t nonce2);
-
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE128_RATE), STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake256_inc_squeeze(OUT, (OUTBLOCKS)*(SHAKE256_RATE), STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-
-#endif
+++ /dev/null
-Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
-or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
-
-For Keccak and the random number generator
-we are using public-domain code from sources
-and by authors listed in comments on top of
-the respective files.
+++ /dev/null
-#ifndef ALIGN_H
-#define ALIGN_H
-
-#include <stdint.h>
-#include <immintrin.h>
-
-#define ALIGNED_UINT8(N) \
- union { \
- uint8_t coeffs[N]; \
- __m256i vec[(N+31)/32]; \
- }
-
-#define ALIGNED_INT32(N) \
- union { \
- int32_t coeffs[N]; \
- __m256i vec[(N+7)/8]; \
- }
-
-#endif
+++ /dev/null
-#ifndef API_H
-#define API_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium2aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_SECRETKEYBYTES pqcrystals_dilithium2_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_BYTES pqcrystals_dilithium2_avx2_BYTES
-
-int pqcrystals_dilithium2aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
-
-#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_SECRETKEYBYTES pqcrystals_dilithium3_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_BYTES pqcrystals_dilithium3_avx2_BYTES
-
-int pqcrystals_dilithium3aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
-
-#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_SECRETKEYBYTES pqcrystals_dilithium5_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_BYTES pqcrystals_dilithium5_avx2_BYTES
-
-int pqcrystals_dilithium5aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_avx2_##s
-#endif
-#else
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
-#endif
-#endif
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "consts.h"
-
-#define QINV 58728449 // q^(-1) mod 2^32
-#define MONT -4186625 // 2^32 mod q
-#define DIV 41978 // mont^2/256
-#define DIV_QINV -8395782
-
-const qdata_t qdata = {{
-#define _8XQ 0
- Q, Q, Q, Q, Q, Q, Q, Q,
-
-#define _8XQINV 8
- QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV,
-
-#define _8XDIV_QINV 16
- DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV,
-
-#define _8XDIV 24
- DIV, DIV, DIV, DIV, DIV, DIV, DIV, DIV,
-
-#define _ZETAS_QINV 32
- -151046689, 1830765815, -1929875198, -1927777021, 1640767044, 1477910808, 1612161320, 1640734244,
- 308362795, 308362795, 308362795, 308362795, -1815525077, -1815525077, -1815525077, -1815525077,
- -1374673747, -1374673747, -1374673747, -1374673747, -1091570561, -1091570561, -1091570561, -1091570561,
- -1929495947, -1929495947, -1929495947, -1929495947, 515185417, 515185417, 515185417, 515185417,
- -285697463, -285697463, -285697463, -285697463, 625853735, 625853735, 625853735, 625853735,
- 1727305304, 1727305304, 2082316400, 2082316400, -1364982364, -1364982364, 858240904, 858240904,
- 1806278032, 1806278032, 222489248, 222489248, -346752664, -346752664, 684667771, 684667771,
- 1654287830, 1654287830, -878576921, -878576921, -1257667337, -1257667337, -748618600, -748618600,
- 329347125, 329347125, 1837364258, 1837364258, -1443016191, -1443016191, -1170414139, -1170414139,
- -1846138265, -1631226336, -1404529459, 1838055109, 1594295555, -1076973524, -1898723372, -594436433,
- -202001019, -475984260, -561427818, 1797021249, -1061813248, 2059733581, -1661512036, -1104976547,
- -1750224323, -901666090, 418987550, 1831915353, -1925356481, 992097815, 879957084, 2024403852,
- 1484874664, -1636082790, -285388938, -1983539117, -1495136972, -950076368, -1714807468, -952438995,
- -1574918427, 1350681039, -2143979939, 1599739335, -1285853323, -993005454, -1440787840, 568627424,
- -783134478, -588790216, 289871779, -1262003603, 2135294594, -1018755525, -889861155, 1665705315,
- 1321868265, 1225434135, -1784632064, 666258756, 675310538, -1555941048, -1999506068, -1499481951,
- -695180180, -1375177022, 1777179795, 334803717, -178766299, -518252220, 1957047970, 1146323031,
- -654783359, -1974159335, 1651689966, 140455867, -1039411342, 1955560694, 1529189038, -2131021878,
- -247357819, 1518161567, -86965173, 1708872713, 1787797779, 1638590967, -120646188, -1669960606,
- -916321552, 1155548552, 2143745726, 1210558298, -1261461890, -318346816, 628664287, -1729304568,
- 1422575624, 1424130038, -1185330464, 235321234, 168022240, 1206536194, 985155484, -894060583,
- -898413, -1363460238, -605900043, 2027833504, 14253662, 1014493059, 863641633, 1819892093,
- 2124962073, -1223601433, -1920467227, -1637785316, -1536588520, 694382729, 235104446, -1045062172,
- 831969619, -300448763, 756955444, -260312805, 1554794072, 1339088280, -2040058690, -853476187,
- -2047270596, -1723816713, -1591599803, -440824168, 1119856484, 1544891539, 155290192, -973777462,
- 991903578, 912367099, -44694137, 1176904444, -421552614, -818371958, 1747917558, -325927722,
- 908452108, 1851023419, -1176751719, -1354528380, -72690498, -314284737, 985022747, 963438279,
- -1078959975, 604552167, -1021949428, 608791570, 173440395, -2126092136, -1316619236, -1039370342,
- 6087993, -110126092, 565464272, -1758099917, -1600929361, 879867909, -1809756372, 400711272,
- 1363007700, 30313375, -326425360, 1683520342, -517299994, 2027935492, -1372618620, 128353682,
- -1123881663, 137583815, -635454918, -642772911, 45766801, 671509323, -2070602178, 419615363,
- 1216882040, -270590488, -1276805128, 371462360, -1357098057, -384158533, 827959816, -596344473,
- 702390549, -279505433, -260424530, -71875110, -1208667171, -1499603926, 2036925262, -540420426,
- 746144248, -1420958686, 2032221021, 1904936414, 1257750362, 1926727420, 1931587462, 1258381762,
- 885133339, 1629985060, 1967222129, 6363718, -1287922800, 1136965286, 1779436847, 1116720494,
- 1042326957, 1405999311, 713994583, 940195359, -1542497137, 2061661095, -883155599, 1726753853,
- -1547952704, 394851342, 283780712, 776003547, 1123958025, 201262505, 1934038751, 374860238,
-
-#define _ZETAS 328
- -3975713, 25847, -2608894, -518909, 237124, -777960, -876248, 466468,
- 1826347, 1826347, 1826347, 1826347, 2353451, 2353451, 2353451, 2353451,
- -359251, -359251, -359251, -359251, -2091905, -2091905, -2091905, -2091905,
- 3119733, 3119733, 3119733, 3119733, -2884855, -2884855, -2884855, -2884855,
- 3111497, 3111497, 3111497, 3111497, 2680103, 2680103, 2680103, 2680103,
- 2725464, 2725464, 1024112, 1024112, -1079900, -1079900, 3585928, 3585928,
- -549488, -549488, -1119584, -1119584, 2619752, 2619752, -2108549, -2108549,
- -2118186, -2118186, -3859737, -3859737, -1399561, -1399561, -3277672, -3277672,
- 1757237, 1757237, -19422, -19422, 4010497, 4010497, 280005, 280005,
- 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439,
- -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299,
- -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596,
- 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779,
- -3930395, -3677745, -1452451, 2176455, -1257611, -4083598, -3190144, -3632928,
- 3412210, 2147896, -2967645, -411027, -671102, -22981, -381987, 1852771,
- -3343383, 508951, 44288, 904516, -3724342, 1653064, 2389356, 759969,
- 189548, 3159746, -2409325, 1315589, 1285669, -812732, -3019102, -3628969,
- -1528703, -3041255, 3475950, -1585221, 1939314, -1000202, -3157330, 126922,
- -983419, 2715295, -3693493, -2477047, -1228525, -1308169, 1349076, -1430430,
- 264944, 3097992, -1100098, 3958618, -8578, -3249728, -210977, -1316856,
- -3553272, -1851402, -177440, 1341330, -1584928, -1439742, -3881060, 3839961,
- 2091667, -3342478, 266997, -3520352, 900702, 495491, -655327, -3556995,
- 342297, 3437287, 2842341, 4055324, -3767016, -2994039, -1333058, -451100,
- -1279661, 1500165, -542412, -2584293, -2013608, 1957272, -3183426, 810149,
- -3038916, 2213111, -426683, -1667432, -2939036, 183443, -554416, 3937738,
- 3407706, 2244091, 2434439, -3759364, 1859098, -1613174, -3122442, -525098,
- 286988, -3342277, 2691481, 1247620, 1250494, 1869119, 1237275, 1312455,
- 1917081, 777191, -2831860, -3724270, 2432395, 3369112, 162844, 1652634,
- 3523897, -975884, 1723600, -1104333, -2235985, -976891, 3919660, 1400424,
- 2316500, -2446433, -1235728, -1197226, 909542, -43260, 2031748, -768622,
- -2437823, 1735879, -2590150, 2486353, 2635921, 1903435, -3318210, 3306115,
- -2546312, 2235880, -1671176, 594136, 2454455, 185531, 1616392, -3694233,
- 3866901, 1717735, -1803090, -260646, -420899, 1612842, -48306, -846154,
- 3817976, -3562462, 3513181, -3193378, 819034, -522500, 3207046, -3595838,
- 4108315, 203044, 1265009, 1595974, -3548272, -1050970, -1430225, -1962642,
- -1374803, 3406031, -1846953, -3776993, -164721, -1207385, 3014001, -1799107,
- 269760, 472078, 1910376, -3833893, -2286327, -3545687, -1362209, 1976782,
-}};
+++ /dev/null
-#ifndef CONSTS_H
-#define CONSTS_H
-
-#include "params.h"
-
-#define _8XQ 0
-#define _8XQINV 8
-#define _8XDIV_QINV 16
-#define _8XDIV 24
-#define _ZETAS_QINV 32
-#define _ZETAS 328
-
-/* The C ABI on MacOS exports all symbols with a leading
- * underscore. This means that any symbols we refer to from
- * C files (functions) can't be found, and all symbols we
- * refer to from ASM also can't be found.
- *
- * This define helps us get around this
- */
-#if defined(__WIN32__) || defined(__APPLE__)
-#define decorate(s) _##s
-#define _cdecl(s) decorate(s)
-#define cdecl(s) _cdecl(DILITHIUM_NAMESPACE(##s))
-#else
-#define cdecl(s) DILITHIUM_NAMESPACE(##s)
-#endif
-
-#ifndef __ASSEMBLER__
-
-#include "align.h"
-
-typedef ALIGNED_INT32(624) qdata_t;
-
-#define qdata DILITHIUM_NAMESPACE(qdata)
-extern const qdata_t qdata;
-
-#endif
-#endif
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2
-vpsubd %ymm\l,%ymm\h,%ymm12
-vpaddd %ymm\h,%ymm\l,%ymm\l
-
-vpmuldq %ymm\zl0,%ymm12,%ymm13
-vmovshdup %ymm12,%ymm\h
-vpmuldq %ymm\zl1,%ymm\h,%ymm14
-
-vpmuldq %ymm\zh0,%ymm12,%ymm12
-vpmuldq %ymm\zh1,%ymm\h,%ymm\h
-
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-
-vpsubd %ymm13,%ymm12,%ymm12
-vpsubd %ymm14,%ymm\h,%ymm\h
-
-vmovshdup %ymm12,%ymm12
-vpblendd $0xAA,%ymm\h,%ymm12,%ymm\h
-.endm
-
-.macro levels0t5 off
-vmovdqa 256*\off+ 0(%rdi),%ymm4
-vmovdqa 256*\off+ 32(%rdi),%ymm5
-vmovdqa 256*\off+ 64(%rdi),%ymm6
-vmovdqa 256*\off+ 96(%rdi),%ymm7
-vmovdqa 256*\off+128(%rdi),%ymm8
-vmovdqa 256*\off+160(%rdi),%ymm9
-vmovdqa 256*\off+192(%rdi),%ymm10
-vmovdqa 256*\off+224(%rdi),%ymm11
-
-/* level 0 */
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,5,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-40)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-40)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 6,7,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-72)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-72)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 8,9,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-104)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-104)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 10,11,1,3,2,15
-
-/* level 1 */
-vpermq $0x1B,(_ZETAS_QINV+168-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+168-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,6,1,3,2,15
-butterfly 5,7,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+168-8*\off-40)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+168-8*\off-40)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 8,10,1,3,2,15
-butterfly 9,11,1,3,2,15
-
-/* level 2 */
-vpermq $0x1B,(_ZETAS_QINV+104-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+104-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,8,1,3,2,15
-butterfly 5,9,1,3,2,15
-butterfly 6,10,1,3,2,15
-butterfly 7,11,1,3,2,15
-
-/* level 3 */
-shuffle2 4,5,3,5
-shuffle2 6,7,4,7
-shuffle2 8,9,6,9
-shuffle2 10,11,8,11
-
-vpermq $0x1B,(_ZETAS_QINV+72-8*\off-8)*4(%rsi),%ymm1
-vpermq $0x1B,(_ZETAS+72-8*\off-8)*4(%rsi),%ymm2
-butterfly 3,5
-butterfly 4,7
-butterfly 6,9
-butterfly 8,11
-
-/* level 4 */
-shuffle4 3,4,10,4
-shuffle4 6,8,3,8
-shuffle4 5,7,6,7
-shuffle4 9,11,5,11
-
-vpermq $0x1B,(_ZETAS_QINV+40-8*\off-8)*4(%rsi),%ymm1
-vpermq $0x1B,(_ZETAS+40-8*\off-8)*4(%rsi),%ymm2
-butterfly 10,4
-butterfly 3,8
-butterfly 6,7
-butterfly 5,11
-
-/* level 5 */
-shuffle8 10,3,9,3
-shuffle8 6,5,10,5
-shuffle8 4,8,6,8
-shuffle8 7,11,4,11
-
-vpbroadcastd (_ZETAS_QINV+7-\off)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+7-\off)*4(%rsi),%ymm2
-butterfly 9,3
-butterfly 10,5
-butterfly 6,8
-butterfly 4,11
-
-vmovdqa %ymm9,256*\off+ 0(%rdi)
-vmovdqa %ymm10,256*\off+ 32(%rdi)
-vmovdqa %ymm6,256*\off+ 64(%rdi)
-vmovdqa %ymm4,256*\off+ 96(%rdi)
-vmovdqa %ymm3,256*\off+128(%rdi)
-vmovdqa %ymm5,256*\off+160(%rdi)
-vmovdqa %ymm8,256*\off+192(%rdi)
-vmovdqa %ymm11,256*\off+224(%rdi)
-.endm
-
-.macro levels6t7 off
-vmovdqa 0+32*\off(%rdi),%ymm4
-vmovdqa 128+32*\off(%rdi),%ymm5
-vmovdqa 256+32*\off(%rdi),%ymm6
-vmovdqa 384+32*\off(%rdi),%ymm7
-vmovdqa 512+32*\off(%rdi),%ymm8
-vmovdqa 640+32*\off(%rdi),%ymm9
-vmovdqa 768+32*\off(%rdi),%ymm10
-vmovdqa 896+32*\off(%rdi),%ymm11
-
-/* level 6 */
-vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2
-butterfly 4,6
-butterfly 5,7
-
-vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2
-butterfly 8,10
-butterfly 9,11
-
-/* level 7 */
-vpbroadcastd (_ZETAS_QINV+0)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+0)*4(%rsi),%ymm2
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-vmovdqa %ymm8,512+32*\off(%rdi)
-vmovdqa %ymm9,640+32*\off(%rdi)
-vmovdqa %ymm10,768+32*\off(%rdi)
-vmovdqa %ymm11,896+32*\off(%rdi)
-
-vmovdqa (_8XDIV_QINV)*4(%rsi),%ymm1
-vmovdqa (_8XDIV)*4(%rsi),%ymm2
-vpmuldq %ymm1,%ymm4,%ymm12
-vpmuldq %ymm1,%ymm5,%ymm13
-vmovshdup %ymm4,%ymm8
-vmovshdup %ymm5,%ymm9
-vpmuldq %ymm1,%ymm8,%ymm14
-vpmuldq %ymm1,%ymm9,%ymm15
-vpmuldq %ymm2,%ymm4,%ymm4
-vpmuldq %ymm2,%ymm5,%ymm5
-vpmuldq %ymm2,%ymm8,%ymm8
-vpmuldq %ymm2,%ymm9,%ymm9
-vpmuldq %ymm0,%ymm12,%ymm12
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-vpmuldq %ymm0,%ymm15,%ymm15
-vpsubd %ymm12,%ymm4,%ymm4
-vpsubd %ymm13,%ymm5,%ymm5
-vpsubd %ymm14,%ymm8,%ymm8
-vpsubd %ymm15,%ymm9,%ymm9
-vmovshdup %ymm4,%ymm4
-vmovshdup %ymm5,%ymm5
-vpblendd $0xAA,%ymm8,%ymm4,%ymm4
-vpblendd $0xAA,%ymm9,%ymm5,%ymm5
-
-vpmuldq %ymm1,%ymm6,%ymm12
-vpmuldq %ymm1,%ymm7,%ymm13
-vmovshdup %ymm6,%ymm8
-vmovshdup %ymm7,%ymm9
-vpmuldq %ymm1,%ymm8,%ymm14
-vpmuldq %ymm1,%ymm9,%ymm15
-vpmuldq %ymm2,%ymm6,%ymm6
-vpmuldq %ymm2,%ymm7,%ymm7
-vpmuldq %ymm2,%ymm8,%ymm8
-vpmuldq %ymm2,%ymm9,%ymm9
-vpmuldq %ymm0,%ymm12,%ymm12
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-vpmuldq %ymm0,%ymm15,%ymm15
-vpsubd %ymm12,%ymm6,%ymm6
-vpsubd %ymm13,%ymm7,%ymm7
-vpsubd %ymm14,%ymm8,%ymm8
-vpsubd %ymm15,%ymm9,%ymm9
-vmovshdup %ymm6,%ymm6
-vmovshdup %ymm7,%ymm7
-vpblendd $0xAA,%ymm8,%ymm6,%ymm6
-vpblendd $0xAA,%ymm9,%ymm7,%ymm7
-
-vmovdqa %ymm4, 0+32*\off(%rdi)
-vmovdqa %ymm5,128+32*\off(%rdi)
-vmovdqa %ymm6,256+32*\off(%rdi)
-vmovdqa %ymm7,384+32*\off(%rdi)
-.endm
-
-.text
-.global cdecl(invntt_avx)
-cdecl(invntt_avx):
-vmovdqa _8XQ*4(%rsi),%ymm0
-
-levels0t5 0
-levels0t5 1
-levels0t5 2
-levels0t5 3
-
-levels6t7 0
-levels6t7 1
-levels6t7 2
-levels6t7 3
-
-ret
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2
-vpmuldq %ymm\zl0,%ymm\h,%ymm13
-vmovshdup %ymm\h,%ymm12
-vpmuldq %ymm\zl1,%ymm12,%ymm14
-
-vpmuldq %ymm\zh0,%ymm\h,%ymm\h
-vpmuldq %ymm\zh1,%ymm12,%ymm12
-
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-
-vmovshdup %ymm\h,%ymm\h
-vpblendd $0xAA,%ymm12,%ymm\h,%ymm\h
-
-vpsubd %ymm\h,%ymm\l,%ymm12
-vpaddd %ymm\h,%ymm\l,%ymm\l
-
-vmovshdup %ymm13,%ymm13
-vpblendd $0xAA,%ymm14,%ymm13,%ymm13
-
-vpaddd %ymm13,%ymm12,%ymm\h
-vpsubd %ymm13,%ymm\l,%ymm\l
-.endm
-
-.macro levels0t1 off
-/* level 0 */
-vpbroadcastd (_ZETAS_QINV+1)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+1)*4(%rsi),%ymm2
-
-vmovdqa 0+32*\off(%rdi),%ymm4
-vmovdqa 128+32*\off(%rdi),%ymm5
-vmovdqa 256+32*\off(%rdi),%ymm6
-vmovdqa 384+32*\off(%rdi),%ymm7
-vmovdqa 512+32*\off(%rdi),%ymm8
-vmovdqa 640+32*\off(%rdi),%ymm9
-vmovdqa 768+32*\off(%rdi),%ymm10
-vmovdqa 896+32*\off(%rdi),%ymm11
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-/* level 1 */
-vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2
-butterfly 4,6
-butterfly 5,7
-
-vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2
-butterfly 8,10
-butterfly 9,11
-
-vmovdqa %ymm4, 0+32*\off(%rdi)
-vmovdqa %ymm5,128+32*\off(%rdi)
-vmovdqa %ymm6,256+32*\off(%rdi)
-vmovdqa %ymm7,384+32*\off(%rdi)
-vmovdqa %ymm8,512+32*\off(%rdi)
-vmovdqa %ymm9,640+32*\off(%rdi)
-vmovdqa %ymm10,768+32*\off(%rdi)
-vmovdqa %ymm11,896+32*\off(%rdi)
-.endm
-
-.macro levels2t7 off
-/* level 2 */
-vmovdqa 256*\off+ 0(%rdi),%ymm4
-vmovdqa 256*\off+ 32(%rdi),%ymm5
-vmovdqa 256*\off+ 64(%rdi),%ymm6
-vmovdqa 256*\off+ 96(%rdi),%ymm7
-vmovdqa 256*\off+128(%rdi),%ymm8
-vmovdqa 256*\off+160(%rdi),%ymm9
-vmovdqa 256*\off+192(%rdi),%ymm10
-vmovdqa 256*\off+224(%rdi),%ymm11
-
-vpbroadcastd (_ZETAS_QINV+4+\off)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+4+\off)*4(%rsi),%ymm2
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-shuffle8 4,8,3,8
-shuffle8 5,9,4,9
-shuffle8 6,10,5,10
-shuffle8 7,11,6,11
-
-/* level 3 */
-vmovdqa (_ZETAS_QINV+8+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+8+8*\off)*4(%rsi),%ymm2
-
-butterfly 3,5
-butterfly 8,10
-butterfly 4,6
-butterfly 9,11
-
-shuffle4 3,5,7,5
-shuffle4 8,10,3,10
-shuffle4 4,6,8,6
-shuffle4 9,11,4,11
-
-/* level 4 */
-vmovdqa (_ZETAS_QINV+40+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+40+8*\off)*4(%rsi),%ymm2
-
-butterfly 7,8
-butterfly 5,6
-butterfly 3,4
-butterfly 10,11
-
-shuffle2 7,8,9,8
-shuffle2 5,6,7,6
-shuffle2 3,4,5,4
-shuffle2 10,11,3,11
-
-/* level 5 */
-vmovdqa (_ZETAS_QINV+72+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+72+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-
-butterfly 9,5,1,10,2,15
-butterfly 8,4,1,10,2,15
-butterfly 7,3,1,10,2,15
-butterfly 6,11,1,10,2,15
-
-/* level 6 */
-vmovdqa (_ZETAS_QINV+104+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+104+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 9,7,1,10,2,15
-butterfly 8,6,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+104+8*\off+32)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+104+8*\off+32)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 5,3,1,10,2,15
-butterfly 4,11,1,10,2,15
-
-/* level 7 */
-vmovdqa (_ZETAS_QINV+168+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 9,8,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+32)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+32)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 7,6,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+64)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+64)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 5,4,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+96)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+96)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 3,11,1,10,2,15
-
-vmovdqa %ymm9,256*\off+ 0(%rdi)
-vmovdqa %ymm8,256*\off+ 32(%rdi)
-vmovdqa %ymm7,256*\off+ 64(%rdi)
-vmovdqa %ymm6,256*\off+ 96(%rdi)
-vmovdqa %ymm5,256*\off+128(%rdi)
-vmovdqa %ymm4,256*\off+160(%rdi)
-vmovdqa %ymm3,256*\off+192(%rdi)
-vmovdqa %ymm11,256*\off+224(%rdi)
-.endm
-
-.text
-.global cdecl(ntt_avx)
-cdecl(ntt_avx):
-vmovdqa _8XQ*4(%rsi),%ymm0
-
-levels0t1 0
-levels0t1 1
-levels0t1 2
-levels0t1 3
-
-levels2t7 0
-levels2t7 1
-levels2t7 2
-levels2t7 3
-
-ret
-
+++ /dev/null
-#ifndef NTT_H
-#define NTT_H
-
-#include <immintrin.h>
-
-#define ntt_avx DILITHIUM_NAMESPACE(ntt_avx)
-void ntt_avx(__m256i *a, const __m256i *qdata);
-#define invntt_avx DILITHIUM_NAMESPACE(invntt_avx)
-void invntt_avx(__m256i *a, const __m256i *qdata);
-
-#define nttunpack_avx DILITHIUM_NAMESPACE(nttunpack_avx)
-void nttunpack_avx(__m256i *a);
-
-#define pointwise_avx DILITHIUM_NAMESPACE(pointwise_avx)
-void pointwise_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *qdata);
-#define pointwise_acc_avx DILITHIUM_NAMESPACE(pointwise_acc_avx)
-void pointwise_acc_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *qdata);
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- pk[i] = rho[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = pk[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = rho[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = key[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = tr[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s2->vec[i]);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt0_pack(sk + i*POLYT0_PACKEDBYTES, &t0->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- key[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- tr[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i=0; i < L; ++i)
- polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyeta_unpack(&s2->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyt0_unpack(&t0->vec[i], sk + i*POLYT0_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h)
-{
- unsigned int i, j, k;
-
- for(i=0; i < SEEDBYTES; ++i)
- sig[i] = c[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for(i = 0; i < OMEGA + K; ++i)
- sig[i] = 0;
-
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- if(h->vec[i].coeffs[j] != 0)
- sig[k++] = j;
-
- sig[OMEGA + i] = k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES])
-{
- unsigned int i, j, k;
-
- for(i = 0; i < SEEDBYTES; ++i)
- c[i] = sig[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- h->vec[i].coeffs[j] = 0;
-
- if(sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA)
- return 1;
-
- for(j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > k && sig[j] <= sig[j-1]) return 1;
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for(j = k; j < OMEGA; ++j)
- if(sig[j])
- return 1;
-
- return 0;
-}
+++ /dev/null
-#ifndef PACKING_H
-#define PACKING_H
-
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-#ifndef PARAMS_H
-#define PARAMS_H
-
-#include "config.h"
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-#if DILITHIUM_MODE == 2
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((Q-1)/88)
-#define OMEGA 80
-
-#elif DILITHIUM_MODE == 3
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 55
-
-#elif DILITHIUM_MODE == 5
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 75
-
-#endif
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#if ETA == 2
-#define POLYETA_PACKEDBYTES 96
-#elif ETA == 4
-#define POLYETA_PACKEDBYTES 128
-#endif
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "consts.h"
-
-.text
-.global cdecl(pointwise_avx)
-cdecl(pointwise_avx):
-#consts
-vmovdqa _8XQINV*4(%rcx),%ymm0
-vmovdqa _8XQ*4(%rcx),%ymm1
-
-xor %eax,%eax
-_looptop1:
-#load
-vmovdqa (%rsi),%ymm2
-vmovdqa 32(%rsi),%ymm4
-vmovdqa 64(%rsi),%ymm6
-vmovdqa (%rdx),%ymm10
-vmovdqa 32(%rdx),%ymm12
-vmovdqa 64(%rdx),%ymm14
-vpsrlq $32,%ymm2,%ymm3
-vpsrlq $32,%ymm4,%ymm5
-vmovshdup %ymm6,%ymm7
-vpsrlq $32,%ymm10,%ymm11
-vpsrlq $32,%ymm12,%ymm13
-vmovshdup %ymm14,%ymm15
-
-#mul
-vpmuldq %ymm2,%ymm10,%ymm2
-vpmuldq %ymm3,%ymm11,%ymm3
-vpmuldq %ymm4,%ymm12,%ymm4
-vpmuldq %ymm5,%ymm13,%ymm5
-vpmuldq %ymm6,%ymm14,%ymm6
-vpmuldq %ymm7,%ymm15,%ymm7
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm10
-vpmuldq %ymm0,%ymm3,%ymm11
-vpmuldq %ymm0,%ymm4,%ymm12
-vpmuldq %ymm0,%ymm5,%ymm13
-vpmuldq %ymm0,%ymm6,%ymm14
-vpmuldq %ymm0,%ymm7,%ymm15
-vpmuldq %ymm1,%ymm10,%ymm10
-vpmuldq %ymm1,%ymm11,%ymm11
-vpmuldq %ymm1,%ymm12,%ymm12
-vpmuldq %ymm1,%ymm13,%ymm13
-vpmuldq %ymm1,%ymm14,%ymm14
-vpmuldq %ymm1,%ymm15,%ymm15
-vpsubq %ymm10,%ymm2,%ymm2
-vpsubq %ymm11,%ymm3,%ymm3
-vpsubq %ymm12,%ymm4,%ymm4
-vpsubq %ymm13,%ymm5,%ymm5
-vpsubq %ymm14,%ymm6,%ymm6
-vpsubq %ymm15,%ymm7,%ymm7
-vpsrlq $32,%ymm2,%ymm2
-vpsrlq $32,%ymm4,%ymm4
-vmovshdup %ymm6,%ymm6
-
-#store
-vpblendd $0xAA,%ymm3,%ymm2,%ymm2
-vpblendd $0xAA,%ymm5,%ymm4,%ymm4
-vpblendd $0xAA,%ymm7,%ymm6,%ymm6
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-vmovdqa %ymm6,64(%rdi)
-
-add $96,%rdi
-add $96,%rsi
-add $96,%rdx
-add $1,%eax
-cmp $10,%eax
-jb _looptop1
-
-vmovdqa (%rsi),%ymm2
-vmovdqa 32(%rsi),%ymm4
-vmovdqa (%rdx),%ymm10
-vmovdqa 32(%rdx),%ymm12
-vpsrlq $32,%ymm2,%ymm3
-vpsrlq $32,%ymm4,%ymm5
-vmovshdup %ymm10,%ymm11
-vmovshdup %ymm12,%ymm13
-
-#mul
-vpmuldq %ymm2,%ymm10,%ymm2
-vpmuldq %ymm3,%ymm11,%ymm3
-vpmuldq %ymm4,%ymm12,%ymm4
-vpmuldq %ymm5,%ymm13,%ymm5
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm10
-vpmuldq %ymm0,%ymm3,%ymm11
-vpmuldq %ymm0,%ymm4,%ymm12
-vpmuldq %ymm0,%ymm5,%ymm13
-vpmuldq %ymm1,%ymm10,%ymm10
-vpmuldq %ymm1,%ymm11,%ymm11
-vpmuldq %ymm1,%ymm12,%ymm12
-vpmuldq %ymm1,%ymm13,%ymm13
-vpsubq %ymm10,%ymm2,%ymm2
-vpsubq %ymm11,%ymm3,%ymm3
-vpsubq %ymm12,%ymm4,%ymm4
-vpsubq %ymm13,%ymm5,%ymm5
-vpsrlq $32,%ymm2,%ymm2
-vmovshdup %ymm4,%ymm4
-
-#store
-vpblendd $0x55,%ymm2,%ymm3,%ymm2
-vpblendd $0x55,%ymm4,%ymm5,%ymm4
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-
-ret
-
-.macro pointwise off
-#load
-vmovdqa \off(%rsi),%ymm6
-vmovdqa \off+32(%rsi),%ymm8
-vmovdqa \off(%rdx),%ymm10
-vmovdqa \off+32(%rdx),%ymm12
-vpsrlq $32,%ymm6,%ymm7
-vpsrlq $32,%ymm8,%ymm9
-vmovshdup %ymm10,%ymm11
-vmovshdup %ymm12,%ymm13
-
-#mul
-vpmuldq %ymm6,%ymm10,%ymm6
-vpmuldq %ymm7,%ymm11,%ymm7
-vpmuldq %ymm8,%ymm12,%ymm8
-vpmuldq %ymm9,%ymm13,%ymm9
-.endm
-
-.macro acc
-vpaddq %ymm6,%ymm2,%ymm2
-vpaddq %ymm7,%ymm3,%ymm3
-vpaddq %ymm8,%ymm4,%ymm4
-vpaddq %ymm9,%ymm5,%ymm5
-.endm
-
-.global cdecl(pointwise_acc_avx)
-cdecl(pointwise_acc_avx):
-#consts
-vmovdqa _8XQINV*4(%rcx),%ymm0
-vmovdqa _8XQ*4(%rcx),%ymm1
-
-xor %eax,%eax
-_looptop2:
-pointwise 0
-
-#mov
-vmovdqa %ymm6,%ymm2
-vmovdqa %ymm7,%ymm3
-vmovdqa %ymm8,%ymm4
-vmovdqa %ymm9,%ymm5
-
-pointwise 1024
-acc
-
-#if L >= 3
-pointwise 2048
-acc
-#endif
-
-#if L >= 4
-pointwise 3072
-acc
-#endif
-
-#if L >= 5
-pointwise 4096
-acc
-#endif
-
-#if L >= 6
-pointwise 5120
-acc
-#endif
-
-#if L >= 7
-pointwise 6144
-acc
-#endif
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm6
-vpmuldq %ymm0,%ymm3,%ymm7
-vpmuldq %ymm0,%ymm4,%ymm8
-vpmuldq %ymm0,%ymm5,%ymm9
-vpmuldq %ymm1,%ymm6,%ymm6
-vpmuldq %ymm1,%ymm7,%ymm7
-vpmuldq %ymm1,%ymm8,%ymm8
-vpmuldq %ymm1,%ymm9,%ymm9
-vpsubq %ymm6,%ymm2,%ymm2
-vpsubq %ymm7,%ymm3,%ymm3
-vpsubq %ymm8,%ymm4,%ymm4
-vpsubq %ymm9,%ymm5,%ymm5
-vpsrlq $32,%ymm2,%ymm2
-vmovshdup %ymm4,%ymm4
-
-#store
-vpblendd $0xAA,%ymm3,%ymm2,%ymm2
-vpblendd $0xAA,%ymm5,%ymm4,%ymm4
-
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-
-add $64,%rsi
-add $64,%rdx
-add $64,%rdi
-add $1,%eax
-cmp $16,%eax
-jb _looptop2
-
-ret
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include <string.h>
-#include "align.h"
-#include "params.h"
-#include "poly.h"
-#include "ntt.h"
-#include "rounding.h"
-#include "rejsample.h"
-#include "consts.h"
-#include "symmetric.h"
-#ifndef DILITHIUM_USE_AES
-#include "fips202x4.h"
-#endif
-
-#ifdef DBENCH
-#include "test/cpucycles.h"
-extern const uint64_t timing_overhead;
-extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
-#define DBENCH_START() uint64_t time = cpucycles()
-#define DBENCH_STOP(t) t += cpucycles() - time - timing_overhead
-#else
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-#endif
-
-#define _mm256_blendv_epi32(a,b,mask) \
- _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \
- _mm256_castsi256_ps(b), \
- _mm256_castsi256_ps(mask)))
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007]. Assumes input
-* coefficients to be at most 2^31 - 2^22 - 1 in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_reduce(poly *a) {
- unsigned int i;
- __m256i f,g;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i off = _mm256_set1_epi32(1<<22);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_add_epi32(f,off);
- g = _mm256_srai_epi32(g,23);
- g = _mm256_mullo_epi32(g,q);
- f = _mm256_sub_epi32(f,g);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_addq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_caddq(poly *a) {
- unsigned int i;
- __m256i f,g;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i zero = _mm256_setzero_si256();
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_blendv_epi32(zero,q,f);
- f = _mm256_add_epi32(f,g);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- __m256i f,g;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_load_si256(&b->vec[i]);
- f = _mm256_add_epi32(f,g);
- _mm256_store_si256(&c->vec[i],f);
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- __m256i f,g;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_load_si256(&b->vec[i]);
- f = _mm256_sub_epi32(f,g);
- _mm256_store_si256(&c->vec[i],f);
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- __m256i f;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- f = _mm256_slli_epi32(f,D);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by up to
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt_avx(a->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_avx(a->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-void poly_nttunpack(poly *a) {
- DBENCH_START();
-
- nttunpack_avx(a->vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- DBENCH_START();
-
- pointwise_avx(c->vec, a->vec, b->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod^+ Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* positive standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_power2round(poly *a1, poly *a0, const poly *a)
-{
- DBENCH_START();
-
- power2round_avx(a1->vec, a0->vec, a->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod^+ Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except if c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be positive standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a)
-{
- DBENCH_START();
-
- decompose_avx(a1->vec, a0->vec, a->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint array. The coefficients of which are the
-* indices of the coefficients of the input polynomial
-* whose low bits overflow into the high bits.
-*
-* Arguments: - uint8_t *h: pointer to output hint array (preallocated of length N)
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of hints, i.e. length of hint array.
-**************************************************/
-unsigned int poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1)
-{
- unsigned int r;
- DBENCH_START();
-
- r = make_hint_avx(hint, a0->vec, a1->vec);
-
- DBENCH_STOP(*tround);
- return r;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h)
-{
- DBENCH_START();
-
- use_hint_avx(b->vec, a->vec, h->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input polynomial to be reduced by poly_reduce().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int r;
- __m256i f,t;
- const __m256i bound = _mm256_set1_epi32(B-1);
- DBENCH_START();
-
- if(B > (Q-1)/8)
- return 1;
-
- t = _mm256_setzero_si256();
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- f = _mm256_abs_epi32(f);
- f = _mm256_cmpgt_epi32(f,bound);
- t = _mm256_or_si256(t,f);
- }
-
- r = 1 - _mm256_testz_si256(t,t);
- DBENCH_STOP(*tsample);
- return r;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- a[ctr++] = t;
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-void poly_uniform_preinit(poly *a, stream128_state *state)
-{
- unsigned int ctr;
- /* rej_uniform_avx reads up to 8 additional bytes */
- ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf;
-
- stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_NBLOCKS, state);
- ctr = rej_uniform_avx(a->coeffs, buf.coeffs);
-
- while(ctr < N) {
- /* length of buf is always divisible by 3; hence, no bytes left */
- stream128_squeezeblocks(buf.coeffs, 1, state);
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
- }
-}
-
-void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- stream128_state state;
- stream128_init(&state, seed, nonce);
- poly_uniform_preinit(a, &state);
- stream128_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[32],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- unsigned int ctr0, ctr1, ctr2, ctr3;
- ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
- shake128x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)seed);
- _mm256_store_si256(buf[0].vec,f);
- _mm256_store_si256(buf[1].vec,f);
- _mm256_store_si256(buf[2].vec,f);
- _mm256_store_si256(buf[3].vec,f);
-
- buf[0].coeffs[SEEDBYTES+0] = nonce0;
- buf[0].coeffs[SEEDBYTES+1] = nonce0 >> 8;
- buf[1].coeffs[SEEDBYTES+0] = nonce1;
- buf[1].coeffs[SEEDBYTES+1] = nonce1 >> 8;
- buf[2].coeffs[SEEDBYTES+0] = nonce2;
- buf[2].coeffs[SEEDBYTES+1] = nonce2 >> 8;
- buf[3].coeffs[SEEDBYTES+0] = nonce3;
- buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
-
- shake128x4_inc_init(&state);
- shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
- shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
-
- ctr0 = rej_uniform_avx(a0->coeffs, buf[0].coeffs);
- ctr1 = rej_uniform_avx(a1->coeffs, buf[1].coeffs);
- ctr2 = rej_uniform_avx(a2->coeffs, buf[2].coeffs);
- ctr3 = rej_uniform_avx(a3->coeffs, buf[3].coeffs);
-
- while(ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
- shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
-
- ctr0 += rej_uniform(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE);
- ctr1 += rej_uniform(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE);
- ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
- ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
- }
- shake128x4_inc_ctx_release(&state);
-}
-#endif
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-#if ETA == 2
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- a[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < len) {
- t1 = t1 - (205*t1 >> 10)*5;
- a[ctr++] = 2 - t1;
- }
-#elif ETA == 4
- if(t0 < 9)
- a[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < len)
- a[ctr++] = 4 - t1;
-#endif
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling using the
-* output stream of SHAKE256(seed|nonce)
-* or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-void poly_uniform_eta_preinit(poly *a, stream256_state *state)
-{
- unsigned int ctr;
- ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
-
- stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
- ctr = rej_eta_avx(a->coeffs, buf.coeffs);
-
- while(ctr < N) {
- stream256_squeezeblocks(buf.coeffs, 1, state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
- }
-}
-
-void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_eta_preinit(a, &state);
- stream256_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_eta_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[64],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- unsigned int ctr0, ctr1, ctr2, ctr3;
- ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
-
- __m256i f;
- shake256x4incctx state;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
- _mm256_store_si256(&buf[0].vec[0],f);
- _mm256_store_si256(&buf[1].vec[0],f);
- _mm256_store_si256(&buf[2].vec[0],f);
- _mm256_store_si256(&buf[3].vec[0],f);
- f = _mm256_loadu_si256((__m256i *)&seed[32]);
- _mm256_store_si256(&buf[0].vec[1],f);
- _mm256_store_si256(&buf[1].vec[1],f);
- _mm256_store_si256(&buf[2].vec[1],f);
- _mm256_store_si256(&buf[3].vec[1],f);
-
- buf[0].coeffs[64] = nonce0;
- buf[0].coeffs[65] = nonce0 >> 8;
- buf[1].coeffs[64] = nonce1;
- buf[1].coeffs[65] = nonce1 >> 8;
- buf[2].coeffs[64] = nonce2;
- buf[2].coeffs[65] = nonce2 >> 8;
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
- shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr0 = rej_eta_avx(a0->coeffs, buf[0].coeffs);
- ctr1 = rej_eta_avx(a1->coeffs, buf[1].coeffs);
- ctr2 = rej_eta_avx(a2->coeffs, buf[2].coeffs);
- ctr3 = rej_eta_avx(a3->coeffs, buf[3].coeffs);
-
- while(ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
-
- ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE);
- ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE);
- ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
- ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
- }
- shake256x4_inc_ctx_release(&state);
-}
-#endif
-
-/*************************************************
-* Name: poly_uniform_gamma1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1_preinit(poly *a, stream256_state *state)
-{
- /* polyz_unpack reads 14 additional bytes */
- ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf;
- stream256_squeezeblocks(buf.coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, state);
- polyz_unpack(a, buf.coeffs);
-}
-
-void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_gamma1_preinit(a, &state);
- stream256_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_gamma1_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[64],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
- shake256x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
- _mm256_store_si256(&buf[0].vec[0],f);
- _mm256_store_si256(&buf[1].vec[0],f);
- _mm256_store_si256(&buf[2].vec[0],f);
- _mm256_store_si256(&buf[3].vec[0],f);
- f = _mm256_loadu_si256((__m256i *)&seed[32]);
- _mm256_store_si256(&buf[0].vec[1],f);
- _mm256_store_si256(&buf[1].vec[1],f);
- _mm256_store_si256(&buf[2].vec[1],f);
- _mm256_store_si256(&buf[3].vec[1],f);
-
- buf[0].coeffs[64] = nonce0;
- buf[0].coeffs[65] = nonce0 >> 8;
- buf[1].coeffs[64] = nonce1;
- buf[1].coeffs[65] = nonce1 >> 8;
- buf[2].coeffs[64] = nonce2;
- buf[2].coeffs[65] = nonce2 >> 8;
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
- shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- shake256x4_inc_ctx_release(&state);
-
- polyz_unpack(a0, buf[0].coeffs);
- polyz_unpack(a1, buf[1].coeffs);
- polyz_unpack(a2, buf[2].coeffs);
- polyz_unpack(a3, buf[3].coeffs);
-}
-#endif
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- ALIGNED_UINT8(SHAKE256_RATE) buf;
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
-
- memcpy(&signs, buf.coeffs, 8);
- pos = 8;
-
- memset(c->vec, 0, sizeof(poly));
- for(i = N-TAU; i < N; ++i) {
- do {
- if(pos >= SHAKE256_RATE) {
- shake256_squeezeblocks(buf.coeffs, 1, &state);
- pos = 0;
- }
-
- b = buf.coeffs[pos++];
- } while(b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- t[0] = ETA - a->coeffs[8*i+0];
- t[1] = ETA - a->coeffs[8*i+1];
- t[2] = ETA - a->coeffs[8*i+2];
- t[3] = ETA - a->coeffs[8*i+3];
- t[4] = ETA - a->coeffs[8*i+4];
- t[5] = ETA - a->coeffs[8*i+5];
- t[6] = ETA - a->coeffs[8*i+6];
- t[7] = ETA - a->coeffs[8*i+7];
-
- r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- t[0] = ETA - a->coeffs[2*i+0];
- t[1] = ETA - a->coeffs[2*i+1];
- r[i] = t[0] | (t[1] << 4);
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly * restrict r, const uint8_t a[POLYETA_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7;
- r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7;
- r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7;
- r->coeffs[8*i+3] = (a[3*i+1] >> 1) & 7;
- r->coeffs[8*i+4] = (a[3*i+1] >> 4) & 7;
- r->coeffs[8*i+5] = ((a[3*i+1] >> 7) | (a[3*i+2] << 1)) & 7;
- r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7;
- r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7;
-
- r->coeffs[8*i+0] = ETA - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = ETA - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = ETA - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = ETA - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = ETA - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = ETA - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = ETA - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = ETA - r->coeffs[8*i+7];
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[i] & 0x0F;
- r->coeffs[2*i+1] = a[i] >> 4;
- r->coeffs[2*i+0] = ETA - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = ETA - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be positive standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r[5*i+0] = (a->coeffs[4*i+0] >> 0);
- r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2);
- r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4);
- r[5*i+3] = (a->coeffs[4*i+2] >> 4) | (a->coeffs[4*i+3] << 6);
- r[5*i+4] = (a->coeffs[4*i+3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are positive standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt1_unpack(poly * restrict r, const uint8_t a[POLYT1_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF;
- r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF;
- r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF;
- r->coeffs[4*i+3] = ((a[5*i+3] >> 6) | ((uint32_t)a[5*i+4] << 2)) & 0x3FF;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- t[0] = (1 << (D-1)) - a->coeffs[8*i+0];
- t[1] = (1 << (D-1)) - a->coeffs[8*i+1];
- t[2] = (1 << (D-1)) - a->coeffs[8*i+2];
- t[3] = (1 << (D-1)) - a->coeffs[8*i+3];
- t[4] = (1 << (D-1)) - a->coeffs[8*i+4];
- t[5] = (1 << (D-1)) - a->coeffs[8*i+5];
- t[6] = (1 << (D-1)) - a->coeffs[8*i+6];
- t[7] = (1 << (D-1)) - a->coeffs[8*i+7];
-
- r[13*i+ 0] = t[0];
- r[13*i+ 1] = t[0] >> 8;
- r[13*i+ 1] |= t[1] << 5;
- r[13*i+ 2] = t[1] >> 3;
- r[13*i+ 3] = t[1] >> 11;
- r[13*i+ 3] |= t[2] << 2;
- r[13*i+ 4] = t[2] >> 6;
- r[13*i+ 4] |= t[3] << 7;
- r[13*i+ 5] = t[3] >> 1;
- r[13*i+ 6] = t[3] >> 9;
- r[13*i+ 6] |= t[4] << 4;
- r[13*i+ 7] = t[4] >> 4;
- r[13*i+ 8] = t[4] >> 12;
- r[13*i+ 8] |= t[5] << 1;
- r[13*i+ 9] = t[5] >> 7;
- r[13*i+ 9] |= t[6] << 6;
- r[13*i+10] = t[6] >> 2;
- r[13*i+11] = t[6] >> 10;
- r[13*i+11] |= t[7] << 3;
- r[13*i+12] = t[7] >> 5;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly * restrict r, const uint8_t a[POLYT0_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = a[13*i+0];
- r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8;
- r->coeffs[8*i+0] &= 0x1FFF;
-
- r->coeffs[8*i+1] = a[13*i+1] >> 5;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+2] << 3;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+3] << 11;
- r->coeffs[8*i+1] &= 0x1FFF;
-
- r->coeffs[8*i+2] = a[13*i+3] >> 2;
- r->coeffs[8*i+2] |= (uint32_t)a[13*i+4] << 6;
- r->coeffs[8*i+2] &= 0x1FFF;
-
- r->coeffs[8*i+3] = a[13*i+4] >> 7;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+5] << 1;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+6] << 9;
- r->coeffs[8*i+3] &= 0x1FFF;
-
- r->coeffs[8*i+4] = a[13*i+6] >> 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+7] << 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+8] << 12;
- r->coeffs[8*i+4] &= 0x1FFF;
-
- r->coeffs[8*i+5] = a[13*i+8] >> 1;
- r->coeffs[8*i+5] |= (uint32_t)a[13*i+9] << 7;
- r->coeffs[8*i+5] &= 0x1FFF;
-
- r->coeffs[8*i+6] = a[13*i+9] >> 6;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+10] << 2;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+11] << 10;
- r->coeffs[8*i+6] &= 0x1FFF;
-
- r->coeffs[8*i+7] = a[13*i+11] >> 3;
- r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5;
- r->coeffs[8*i+7] &= 0x1FFF;
-
- r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4*i+0];
- t[1] = GAMMA1 - a->coeffs[4*i+1];
- t[2] = GAMMA1 - a->coeffs[4*i+2];
- t[3] = GAMMA1 - a->coeffs[4*i+3];
-
- r[9*i+0] = t[0];
- r[9*i+1] = t[0] >> 8;
- r[9*i+2] = t[0] >> 16;
- r[9*i+2] |= t[1] << 2;
- r[9*i+3] = t[1] >> 6;
- r[9*i+4] = t[1] >> 14;
- r[9*i+4] |= t[2] << 4;
- r[9*i+5] = t[2] >> 4;
- r[9*i+6] = t[2] >> 12;
- r[9*i+6] |= t[3] << 6;
- r[9*i+7] = t[3] >> 2;
- r[9*i+8] = t[3] >> 10;
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2*i+0];
- t[1] = GAMMA1 - a->coeffs[2*i+1];
-
- r[5*i+0] = t[0];
- r[5*i+1] = t[0] >> 8;
- r[5*i+2] = t[0] >> 16;
- r[5*i+2] |= t[1] << 4;
- r[5*i+3] = t[1] >> 4;
- r[5*i+4] = t[1] >> 12;
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-#if GAMMA1 == (1 << 17)
-void polyz_unpack(poly * restrict r, const uint8_t *a) {
- unsigned int i;
- __m256i f;
- const __m256i shufbidx = _mm256_set_epi8(-1, 9, 8, 7,-1, 7, 6, 5,-1, 5, 4, 3,-1, 3, 2, 1,
- -1, 8, 7, 6,-1, 6, 5, 4,-1, 4, 3, 2,-1, 2, 1, 0);
- const __m256i srlvdidx = _mm256_set_epi32(6,4,2,0,6,4,2,0);
- const __m256i mask = _mm256_set1_epi32(0x3FFFF);
- const __m256i gamma1 = _mm256_set1_epi32(GAMMA1);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_loadu_si256((__m256i *)&a[18*i]);
- f = _mm256_permute4x64_epi64(f,0x94);
- f = _mm256_shuffle_epi8(f,shufbidx);
- f = _mm256_srlv_epi32(f,srlvdidx);
- f = _mm256_and_si256(f,mask);
- f = _mm256_sub_epi32(gamma1,f);
- _mm256_store_si256(&r->vec[i],f);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-#elif GAMMA1 == (1 << 19)
-void polyz_unpack(poly * restrict r, const uint8_t *a) {
- unsigned int i;
- __m256i f;
- const __m256i shufbidx = _mm256_set_epi8(-1,11,10, 9,-1, 9, 8, 7,-1, 6, 5, 4,-1, 4, 3, 2,
- -1, 9, 8, 7,-1, 7, 6, 5,-1, 4, 3, 2,-1, 2, 1, 0);
- const __m256i srlvdidx = _mm256_set1_epi64x((uint64_t)4 << 32);
- const __m256i mask = _mm256_set1_epi32(0xFFFFF);
- const __m256i gamma1 = _mm256_set1_epi32(GAMMA1);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_loadu_si256((__m256i *)&a[20*i]);
- f = _mm256_permute4x64_epi64(f,0x94);
- f = _mm256_shuffle_epi8(f,shufbidx);
- f = _mm256_srlv_epi32(f,srlvdidx);
- f = _mm256_and_si256(f,mask);
- f = _mm256_sub_epi32(gamma1,f);
- _mm256_store_si256(&r->vec[i],f);
- }
-
- DBENCH_STOP(*tpack);
-}
-#endif
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be positive standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-#if GAMMA2 == (Q-1)/88
-void polyw1_pack(uint8_t *r, const poly * restrict a) {
- unsigned int i;
- __m256i f0,f1,f2,f3;
- const __m256i shift1 = _mm256_set1_epi16((64 << 8) + 1);
- const __m256i shift2 = _mm256_set1_epi32((4096 << 16) + 1);
- const __m256i shufdidx1 = _mm256_set_epi32(7,3,6,2,5,1,4,0);
- const __m256i shufdidx2 = _mm256_set_epi32(-1,-1,6,5,4,2,1,0);
- const __m256i shufbidx = _mm256_set_epi8(-1,-1,-1,-1,14,13,12,10, 9, 8, 6, 5, 4, 2, 1, 0,
- -1,-1,-1,-1,14,13,12,10, 9, 8, 6, 5, 4, 2, 1, 0);
- DBENCH_START();
-
- for(i = 0; i < N/32; i++) {
- f0 = _mm256_load_si256(&a->vec[4*i+0]);
- f1 = _mm256_load_si256(&a->vec[4*i+1]);
- f2 = _mm256_load_si256(&a->vec[4*i+2]);
- f3 = _mm256_load_si256(&a->vec[4*i+3]);
- f0 = _mm256_packus_epi32(f0,f1);
- f1 = _mm256_packus_epi32(f2,f3);
- f0 = _mm256_packus_epi16(f0,f1);
- f0 = _mm256_maddubs_epi16(f0,shift1);
- f0 = _mm256_madd_epi16(f0,shift2);
- f0 = _mm256_permutevar8x32_epi32(f0,shufdidx1);
- f0 = _mm256_shuffle_epi8(f0,shufbidx);
- f0 = _mm256_permutevar8x32_epi32(f0,shufdidx2);
- _mm256_storeu_si256((__m256i *)&r[24*i],f0);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-#elif GAMMA2 == (Q-1)/32
-void polyw1_pack(uint8_t *r, const poly * restrict a) {
- unsigned int i;
- __m256i f0, f1, f2, f3, f4, f5, f6, f7;
- const __m256i shift = _mm256_set1_epi16((16 << 8) + 1);
- const __m256i shufbidx = _mm256_set_epi8(15,14, 7, 6,13,12, 5, 4,11,10, 3, 2, 9, 8, 1, 0,
- 15,14, 7, 6,13,12, 5, 4,11,10, 3, 2, 9, 8, 1, 0);
- DBENCH_START();
-
- for(i = 0; i < N/64; ++i) {
- f0 = _mm256_load_si256(&a->vec[8*i+0]);
- f1 = _mm256_load_si256(&a->vec[8*i+1]);
- f2 = _mm256_load_si256(&a->vec[8*i+2]);
- f3 = _mm256_load_si256(&a->vec[8*i+3]);
- f4 = _mm256_load_si256(&a->vec[8*i+4]);
- f5 = _mm256_load_si256(&a->vec[8*i+5]);
- f6 = _mm256_load_si256(&a->vec[8*i+6]);
- f7 = _mm256_load_si256(&a->vec[8*i+7]);
- f0 = _mm256_packus_epi32(f0,f1);
- f1 = _mm256_packus_epi32(f2,f3);
- f2 = _mm256_packus_epi32(f4,f5);
- f3 = _mm256_packus_epi32(f6,f7);
- f0 = _mm256_packus_epi16(f0,f1);
- f1 = _mm256_packus_epi16(f2,f3);
- f0 = _mm256_maddubs_epi16(f0,shift);
- f1 = _mm256_maddubs_epi16(f1,shift);
- f0 = _mm256_packus_epi16(f0,f1);
- f0 = _mm256_permute4x64_epi64(f0,0xD8);
- f0 = _mm256_shuffle_epi8(f0,shufbidx);
- _mm256_storeu_si256((__m256i *)&r[32*i], f0);
- }
-
- DBENCH_STOP(*tpack);
-}
-#endif
+++ /dev/null
-#ifndef POLY_H
-#define POLY_H
-
-#include <stdint.h>
-#include "align.h"
-#include "params.h"
-#include "symmetric.h"
-
-typedef ALIGNED_INT32(N) poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_nttunpack DILITHIUM_NAMESPACE(poly_nttunpack)
-void poly_nttunpack(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform_preinit DILITHIUM_NAMESPACE(poly_uniform_preinit)
-void poly_uniform_preinit(poly *a, stream128_state *state);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-#define poly_uniform_eta_preinit DILITHIUM_NAMESPACE(poly_uniform_eta_preinit)
-void poly_uniform_eta_preinit(poly *a, stream256_state *state);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
-#define poly_uniform_gamma1_preinit DILITHIUM_NAMESPACE(poly_uniform_gamma1_preinit)
-void poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#ifndef DILITHIUM_USE_AES
-#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
-void poly_uniform_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#define poly_uniform_eta_4x DILITHIUM_NAMESPACE(poly_uniform_eta_4x)
-void poly_uniform_eta_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#define poly_uniform_gamma1_4x DILITHIUM_NAMESPACE(poly_uniform_gamma1_4x)
-void poly_uniform_gamma1_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#endif
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t a[POLYETA_PACKEDBYTES]);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t a[POLYT1_PACKEDBYTES]);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t a[POLYT0_PACKEDBYTES]);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "ntt.h"
-#include "consts.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-#ifdef DILITHIUM_USE_AES
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
- uint64_t nonce;
- aes256ctr_ctx state;
-
- aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
- aes256_ctx_release(&state);
-}
-
-#elif K == 4 && L == 4
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvec_matrix_expand_row0(&mat[0], NULL, rho);
- polyvec_matrix_expand_row1(&mat[1], NULL, rho);
- polyvec_matrix_expand_row2(&mat[2], NULL, rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 256, 257, 258, 259);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 512, 513, 514, 515);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 768, 769, 770, 771);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-#elif K == 6 && L == 5
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvecl tmp;
- polyvec_matrix_expand_row0(&mat[0], &mat[1], rho);
- polyvec_matrix_expand_row1(&mat[1], &mat[2], rho);
- polyvec_matrix_expand_row2(&mat[2], &mat[3], rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
- polyvec_matrix_expand_row4(&mat[4], &mat[5], rho);
- polyvec_matrix_expand_row5(&mat[5], &tmp, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_uniform_4x(&rowa->vec[4], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 4, 256, 257, 258);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowb->vec[0], &rowb->vec[1], rho, 259, 260, 512, 513);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowb->vec[0], rho, 514, 515, 516, 768);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 769, 770, 771, 772);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
-}
-
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 1024, 1025, 1026, 1027);
- poly_uniform_4x(&rowa->vec[4], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 1028, 1280, 1281, 1282);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowb->vec[0], &rowb->vec[1], rho, 1283, 1284, 1536, 1537);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
-}
-
-#elif K == 8 && L == 7
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvec_matrix_expand_row0(&mat[0], &mat[1], rho);
- polyvec_matrix_expand_row1(&mat[1], &mat[2], rho);
- polyvec_matrix_expand_row2(&mat[2], &mat[3], rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
- polyvec_matrix_expand_row4(&mat[4], &mat[5], rho);
- polyvec_matrix_expand_row5(&mat[5], &mat[6], rho);
- polyvec_matrix_expand_row6(&mat[6], &mat[7], rho);
- polyvec_matrix_expand_row7(&mat[7], NULL, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_uniform_4x(&rowa->vec[4], &rowa->vec[5], &rowa->vec[6], &rowb->vec[0], rho, 4, 5, 6, 256);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 257, 258, 259, 260);
- poly_uniform_4x(&rowa->vec[5], &rowa->vec[6], &rowb->vec[0], &rowb->vec[1], rho, 261, 262, 512, 513);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowa->vec[5], rho, 514, 515, 516, 517);
- poly_uniform_4x(&rowa->vec[6], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 518, 768, 769, 770);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowa->vec[5], &rowa->vec[6], rho, 771, 772, 773, 774);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
-}
-
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 1024, 1025, 1026, 1027);
- poly_uniform_4x(&rowa->vec[4], &rowa->vec[5], &rowa->vec[6], &rowb->vec[0], rho, 1028, 1029, 1030, 1280);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 1281, 1282, 1283, 1284);
- poly_uniform_4x(&rowa->vec[5], &rowa->vec[6], &rowb->vec[0], &rowb->vec[1], rho, 1285, 1286, 1536, 1537);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowa->vec[5], rho, 1538, 1539, 1540, 1541);
- poly_uniform_4x(&rowa->vec[6], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 1542, 1792, 1793, 1794);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row7(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowa->vec[5], &rowa->vec[6], rho, 1795, 1796, 1797, 1798);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
-}
-
-#else
-#error
-#endif
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-void polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u, const polyvecl *v) {
- pointwise_acc_avx(w->vec, u->vec->vec, v->vec->vec, qdata.vec);
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_caddq(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_shiftl(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - uint8_t *hint: pointer to output hint array
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1)
-{
- unsigned int i, n = 0;
-
- for(i = 0; i < K; ++i)
- n += poly_make_hint(&hint[n], &v0->vec[i], &v1->vec[i]);
-
- return n;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
-}
-
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyw1_pack(&r[i*POLYW1_PACKEDBYTES], &w1->vec[i]);
-}
+++ /dev/null
-#ifndef POLYVEC_H
-#define POLYVEC_H
-
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery \
- DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#ifndef DILITHIUM_USE_AES
-#define polyvec_matrix_expand_row0 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row0)
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row1 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row1)
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row2 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row2)
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row3 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row3)
-void polyvec_matrix_expand_row3(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row4 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row4)
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row5 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row5)
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row6 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row6)
-void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row7 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row7)
-void polyvec_matrix_expand_row7(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#endif
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include "params.h"
-#include "rejsample.h"
-#include "symmetric.h"
-
-const uint8_t idxlut[256][8] = {
- { 0, 0, 0, 0, 0, 0, 0, 0},
- { 0, 0, 0, 0, 0, 0, 0, 0},
- { 1, 0, 0, 0, 0, 0, 0, 0},
- { 0, 1, 0, 0, 0, 0, 0, 0},
- { 2, 0, 0, 0, 0, 0, 0, 0},
- { 0, 2, 0, 0, 0, 0, 0, 0},
- { 1, 2, 0, 0, 0, 0, 0, 0},
- { 0, 1, 2, 0, 0, 0, 0, 0},
- { 3, 0, 0, 0, 0, 0, 0, 0},
- { 0, 3, 0, 0, 0, 0, 0, 0},
- { 1, 3, 0, 0, 0, 0, 0, 0},
- { 0, 1, 3, 0, 0, 0, 0, 0},
- { 2, 3, 0, 0, 0, 0, 0, 0},
- { 0, 2, 3, 0, 0, 0, 0, 0},
- { 1, 2, 3, 0, 0, 0, 0, 0},
- { 0, 1, 2, 3, 0, 0, 0, 0},
- { 4, 0, 0, 0, 0, 0, 0, 0},
- { 0, 4, 0, 0, 0, 0, 0, 0},
- { 1, 4, 0, 0, 0, 0, 0, 0},
- { 0, 1, 4, 0, 0, 0, 0, 0},
- { 2, 4, 0, 0, 0, 0, 0, 0},
- { 0, 2, 4, 0, 0, 0, 0, 0},
- { 1, 2, 4, 0, 0, 0, 0, 0},
- { 0, 1, 2, 4, 0, 0, 0, 0},
- { 3, 4, 0, 0, 0, 0, 0, 0},
- { 0, 3, 4, 0, 0, 0, 0, 0},
- { 1, 3, 4, 0, 0, 0, 0, 0},
- { 0, 1, 3, 4, 0, 0, 0, 0},
- { 2, 3, 4, 0, 0, 0, 0, 0},
- { 0, 2, 3, 4, 0, 0, 0, 0},
- { 1, 2, 3, 4, 0, 0, 0, 0},
- { 0, 1, 2, 3, 4, 0, 0, 0},
- { 5, 0, 0, 0, 0, 0, 0, 0},
- { 0, 5, 0, 0, 0, 0, 0, 0},
- { 1, 5, 0, 0, 0, 0, 0, 0},
- { 0, 1, 5, 0, 0, 0, 0, 0},
- { 2, 5, 0, 0, 0, 0, 0, 0},
- { 0, 2, 5, 0, 0, 0, 0, 0},
- { 1, 2, 5, 0, 0, 0, 0, 0},
- { 0, 1, 2, 5, 0, 0, 0, 0},
- { 3, 5, 0, 0, 0, 0, 0, 0},
- { 0, 3, 5, 0, 0, 0, 0, 0},
- { 1, 3, 5, 0, 0, 0, 0, 0},
- { 0, 1, 3, 5, 0, 0, 0, 0},
- { 2, 3, 5, 0, 0, 0, 0, 0},
- { 0, 2, 3, 5, 0, 0, 0, 0},
- { 1, 2, 3, 5, 0, 0, 0, 0},
- { 0, 1, 2, 3, 5, 0, 0, 0},
- { 4, 5, 0, 0, 0, 0, 0, 0},
- { 0, 4, 5, 0, 0, 0, 0, 0},
- { 1, 4, 5, 0, 0, 0, 0, 0},
- { 0, 1, 4, 5, 0, 0, 0, 0},
- { 2, 4, 5, 0, 0, 0, 0, 0},
- { 0, 2, 4, 5, 0, 0, 0, 0},
- { 1, 2, 4, 5, 0, 0, 0, 0},
- { 0, 1, 2, 4, 5, 0, 0, 0},
- { 3, 4, 5, 0, 0, 0, 0, 0},
- { 0, 3, 4, 5, 0, 0, 0, 0},
- { 1, 3, 4, 5, 0, 0, 0, 0},
- { 0, 1, 3, 4, 5, 0, 0, 0},
- { 2, 3, 4, 5, 0, 0, 0, 0},
- { 0, 2, 3, 4, 5, 0, 0, 0},
- { 1, 2, 3, 4, 5, 0, 0, 0},
- { 0, 1, 2, 3, 4, 5, 0, 0},
- { 6, 0, 0, 0, 0, 0, 0, 0},
- { 0, 6, 0, 0, 0, 0, 0, 0},
- { 1, 6, 0, 0, 0, 0, 0, 0},
- { 0, 1, 6, 0, 0, 0, 0, 0},
- { 2, 6, 0, 0, 0, 0, 0, 0},
- { 0, 2, 6, 0, 0, 0, 0, 0},
- { 1, 2, 6, 0, 0, 0, 0, 0},
- { 0, 1, 2, 6, 0, 0, 0, 0},
- { 3, 6, 0, 0, 0, 0, 0, 0},
- { 0, 3, 6, 0, 0, 0, 0, 0},
- { 1, 3, 6, 0, 0, 0, 0, 0},
- { 0, 1, 3, 6, 0, 0, 0, 0},
- { 2, 3, 6, 0, 0, 0, 0, 0},
- { 0, 2, 3, 6, 0, 0, 0, 0},
- { 1, 2, 3, 6, 0, 0, 0, 0},
- { 0, 1, 2, 3, 6, 0, 0, 0},
- { 4, 6, 0, 0, 0, 0, 0, 0},
- { 0, 4, 6, 0, 0, 0, 0, 0},
- { 1, 4, 6, 0, 0, 0, 0, 0},
- { 0, 1, 4, 6, 0, 0, 0, 0},
- { 2, 4, 6, 0, 0, 0, 0, 0},
- { 0, 2, 4, 6, 0, 0, 0, 0},
- { 1, 2, 4, 6, 0, 0, 0, 0},
- { 0, 1, 2, 4, 6, 0, 0, 0},
- { 3, 4, 6, 0, 0, 0, 0, 0},
- { 0, 3, 4, 6, 0, 0, 0, 0},
- { 1, 3, 4, 6, 0, 0, 0, 0},
- { 0, 1, 3, 4, 6, 0, 0, 0},
- { 2, 3, 4, 6, 0, 0, 0, 0},
- { 0, 2, 3, 4, 6, 0, 0, 0},
- { 1, 2, 3, 4, 6, 0, 0, 0},
- { 0, 1, 2, 3, 4, 6, 0, 0},
- { 5, 6, 0, 0, 0, 0, 0, 0},
- { 0, 5, 6, 0, 0, 0, 0, 0},
- { 1, 5, 6, 0, 0, 0, 0, 0},
- { 0, 1, 5, 6, 0, 0, 0, 0},
- { 2, 5, 6, 0, 0, 0, 0, 0},
- { 0, 2, 5, 6, 0, 0, 0, 0},
- { 1, 2, 5, 6, 0, 0, 0, 0},
- { 0, 1, 2, 5, 6, 0, 0, 0},
- { 3, 5, 6, 0, 0, 0, 0, 0},
- { 0, 3, 5, 6, 0, 0, 0, 0},
- { 1, 3, 5, 6, 0, 0, 0, 0},
- { 0, 1, 3, 5, 6, 0, 0, 0},
- { 2, 3, 5, 6, 0, 0, 0, 0},
- { 0, 2, 3, 5, 6, 0, 0, 0},
- { 1, 2, 3, 5, 6, 0, 0, 0},
- { 0, 1, 2, 3, 5, 6, 0, 0},
- { 4, 5, 6, 0, 0, 0, 0, 0},
- { 0, 4, 5, 6, 0, 0, 0, 0},
- { 1, 4, 5, 6, 0, 0, 0, 0},
- { 0, 1, 4, 5, 6, 0, 0, 0},
- { 2, 4, 5, 6, 0, 0, 0, 0},
- { 0, 2, 4, 5, 6, 0, 0, 0},
- { 1, 2, 4, 5, 6, 0, 0, 0},
- { 0, 1, 2, 4, 5, 6, 0, 0},
- { 3, 4, 5, 6, 0, 0, 0, 0},
- { 0, 3, 4, 5, 6, 0, 0, 0},
- { 1, 3, 4, 5, 6, 0, 0, 0},
- { 0, 1, 3, 4, 5, 6, 0, 0},
- { 2, 3, 4, 5, 6, 0, 0, 0},
- { 0, 2, 3, 4, 5, 6, 0, 0},
- { 1, 2, 3, 4, 5, 6, 0, 0},
- { 0, 1, 2, 3, 4, 5, 6, 0},
- { 7, 0, 0, 0, 0, 0, 0, 0},
- { 0, 7, 0, 0, 0, 0, 0, 0},
- { 1, 7, 0, 0, 0, 0, 0, 0},
- { 0, 1, 7, 0, 0, 0, 0, 0},
- { 2, 7, 0, 0, 0, 0, 0, 0},
- { 0, 2, 7, 0, 0, 0, 0, 0},
- { 1, 2, 7, 0, 0, 0, 0, 0},
- { 0, 1, 2, 7, 0, 0, 0, 0},
- { 3, 7, 0, 0, 0, 0, 0, 0},
- { 0, 3, 7, 0, 0, 0, 0, 0},
- { 1, 3, 7, 0, 0, 0, 0, 0},
- { 0, 1, 3, 7, 0, 0, 0, 0},
- { 2, 3, 7, 0, 0, 0, 0, 0},
- { 0, 2, 3, 7, 0, 0, 0, 0},
- { 1, 2, 3, 7, 0, 0, 0, 0},
- { 0, 1, 2, 3, 7, 0, 0, 0},
- { 4, 7, 0, 0, 0, 0, 0, 0},
- { 0, 4, 7, 0, 0, 0, 0, 0},
- { 1, 4, 7, 0, 0, 0, 0, 0},
- { 0, 1, 4, 7, 0, 0, 0, 0},
- { 2, 4, 7, 0, 0, 0, 0, 0},
- { 0, 2, 4, 7, 0, 0, 0, 0},
- { 1, 2, 4, 7, 0, 0, 0, 0},
- { 0, 1, 2, 4, 7, 0, 0, 0},
- { 3, 4, 7, 0, 0, 0, 0, 0},
- { 0, 3, 4, 7, 0, 0, 0, 0},
- { 1, 3, 4, 7, 0, 0, 0, 0},
- { 0, 1, 3, 4, 7, 0, 0, 0},
- { 2, 3, 4, 7, 0, 0, 0, 0},
- { 0, 2, 3, 4, 7, 0, 0, 0},
- { 1, 2, 3, 4, 7, 0, 0, 0},
- { 0, 1, 2, 3, 4, 7, 0, 0},
- { 5, 7, 0, 0, 0, 0, 0, 0},
- { 0, 5, 7, 0, 0, 0, 0, 0},
- { 1, 5, 7, 0, 0, 0, 0, 0},
- { 0, 1, 5, 7, 0, 0, 0, 0},
- { 2, 5, 7, 0, 0, 0, 0, 0},
- { 0, 2, 5, 7, 0, 0, 0, 0},
- { 1, 2, 5, 7, 0, 0, 0, 0},
- { 0, 1, 2, 5, 7, 0, 0, 0},
- { 3, 5, 7, 0, 0, 0, 0, 0},
- { 0, 3, 5, 7, 0, 0, 0, 0},
- { 1, 3, 5, 7, 0, 0, 0, 0},
- { 0, 1, 3, 5, 7, 0, 0, 0},
- { 2, 3, 5, 7, 0, 0, 0, 0},
- { 0, 2, 3, 5, 7, 0, 0, 0},
- { 1, 2, 3, 5, 7, 0, 0, 0},
- { 0, 1, 2, 3, 5, 7, 0, 0},
- { 4, 5, 7, 0, 0, 0, 0, 0},
- { 0, 4, 5, 7, 0, 0, 0, 0},
- { 1, 4, 5, 7, 0, 0, 0, 0},
- { 0, 1, 4, 5, 7, 0, 0, 0},
- { 2, 4, 5, 7, 0, 0, 0, 0},
- { 0, 2, 4, 5, 7, 0, 0, 0},
- { 1, 2, 4, 5, 7, 0, 0, 0},
- { 0, 1, 2, 4, 5, 7, 0, 0},
- { 3, 4, 5, 7, 0, 0, 0, 0},
- { 0, 3, 4, 5, 7, 0, 0, 0},
- { 1, 3, 4, 5, 7, 0, 0, 0},
- { 0, 1, 3, 4, 5, 7, 0, 0},
- { 2, 3, 4, 5, 7, 0, 0, 0},
- { 0, 2, 3, 4, 5, 7, 0, 0},
- { 1, 2, 3, 4, 5, 7, 0, 0},
- { 0, 1, 2, 3, 4, 5, 7, 0},
- { 6, 7, 0, 0, 0, 0, 0, 0},
- { 0, 6, 7, 0, 0, 0, 0, 0},
- { 1, 6, 7, 0, 0, 0, 0, 0},
- { 0, 1, 6, 7, 0, 0, 0, 0},
- { 2, 6, 7, 0, 0, 0, 0, 0},
- { 0, 2, 6, 7, 0, 0, 0, 0},
- { 1, 2, 6, 7, 0, 0, 0, 0},
- { 0, 1, 2, 6, 7, 0, 0, 0},
- { 3, 6, 7, 0, 0, 0, 0, 0},
- { 0, 3, 6, 7, 0, 0, 0, 0},
- { 1, 3, 6, 7, 0, 0, 0, 0},
- { 0, 1, 3, 6, 7, 0, 0, 0},
- { 2, 3, 6, 7, 0, 0, 0, 0},
- { 0, 2, 3, 6, 7, 0, 0, 0},
- { 1, 2, 3, 6, 7, 0, 0, 0},
- { 0, 1, 2, 3, 6, 7, 0, 0},
- { 4, 6, 7, 0, 0, 0, 0, 0},
- { 0, 4, 6, 7, 0, 0, 0, 0},
- { 1, 4, 6, 7, 0, 0, 0, 0},
- { 0, 1, 4, 6, 7, 0, 0, 0},
- { 2, 4, 6, 7, 0, 0, 0, 0},
- { 0, 2, 4, 6, 7, 0, 0, 0},
- { 1, 2, 4, 6, 7, 0, 0, 0},
- { 0, 1, 2, 4, 6, 7, 0, 0},
- { 3, 4, 6, 7, 0, 0, 0, 0},
- { 0, 3, 4, 6, 7, 0, 0, 0},
- { 1, 3, 4, 6, 7, 0, 0, 0},
- { 0, 1, 3, 4, 6, 7, 0, 0},
- { 2, 3, 4, 6, 7, 0, 0, 0},
- { 0, 2, 3, 4, 6, 7, 0, 0},
- { 1, 2, 3, 4, 6, 7, 0, 0},
- { 0, 1, 2, 3, 4, 6, 7, 0},
- { 5, 6, 7, 0, 0, 0, 0, 0},
- { 0, 5, 6, 7, 0, 0, 0, 0},
- { 1, 5, 6, 7, 0, 0, 0, 0},
- { 0, 1, 5, 6, 7, 0, 0, 0},
- { 2, 5, 6, 7, 0, 0, 0, 0},
- { 0, 2, 5, 6, 7, 0, 0, 0},
- { 1, 2, 5, 6, 7, 0, 0, 0},
- { 0, 1, 2, 5, 6, 7, 0, 0},
- { 3, 5, 6, 7, 0, 0, 0, 0},
- { 0, 3, 5, 6, 7, 0, 0, 0},
- { 1, 3, 5, 6, 7, 0, 0, 0},
- { 0, 1, 3, 5, 6, 7, 0, 0},
- { 2, 3, 5, 6, 7, 0, 0, 0},
- { 0, 2, 3, 5, 6, 7, 0, 0},
- { 1, 2, 3, 5, 6, 7, 0, 0},
- { 0, 1, 2, 3, 5, 6, 7, 0},
- { 4, 5, 6, 7, 0, 0, 0, 0},
- { 0, 4, 5, 6, 7, 0, 0, 0},
- { 1, 4, 5, 6, 7, 0, 0, 0},
- { 0, 1, 4, 5, 6, 7, 0, 0},
- { 2, 4, 5, 6, 7, 0, 0, 0},
- { 0, 2, 4, 5, 6, 7, 0, 0},
- { 1, 2, 4, 5, 6, 7, 0, 0},
- { 0, 1, 2, 4, 5, 6, 7, 0},
- { 3, 4, 5, 6, 7, 0, 0, 0},
- { 0, 3, 4, 5, 6, 7, 0, 0},
- { 1, 3, 4, 5, 6, 7, 0, 0},
- { 0, 1, 3, 4, 5, 6, 7, 0},
- { 2, 3, 4, 5, 6, 7, 0, 0},
- { 0, 2, 3, 4, 5, 6, 7, 0},
- { 1, 2, 3, 4, 5, 6, 7, 0},
- { 0, 1, 2, 3, 4, 5, 6, 7}
-};
-
-unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_BUFLEN+8])
-{
- unsigned int ctr, pos;
- uint32_t good;
- __m256i d, tmp;
- const __m256i bound = _mm256_set1_epi32(Q);
- const __m256i mask = _mm256_set1_epi32(0x7FFFFF);
- const __m256i idx8 = _mm256_set_epi8(-1,15,14,13,-1,12,11,10,
- -1, 9, 8, 7,-1, 6, 5, 4,
- -1,11,10, 9,-1, 8, 7, 6,
- -1, 5, 4, 3,-1, 2, 1, 0);
-
- ctr = pos = 0;
- while(pos <= REJ_UNIFORM_BUFLEN - 24) {
- d = _mm256_loadu_si256((__m256i *)&buf[pos]);
- d = _mm256_permute4x64_epi64(d, 0x94);
- d = _mm256_shuffle_epi8(d, idx8);
- d = _mm256_and_si256(d, mask);
- pos += 24;
-
- tmp = _mm256_sub_epi32(d, bound);
- good = _mm256_movemask_ps((__m256)tmp);
- tmp = _mm256_cvtepu8_epi32(_mm_loadl_epi64((__m128i *)&idxlut[good]));
- d = _mm256_permutevar8x32_epi32(d, tmp);
-
- _mm256_storeu_si256((__m256i *)&r[ctr], d);
- ctr += _mm_popcnt_u32(good);
-
-#ifndef DILITHIUM_USE_AES
- if(ctr > N - 8) break;
-#endif
- }
-
-#ifndef DILITHIUM_USE_AES
- uint32_t t;
- while(ctr < N && pos <= REJ_UNIFORM_BUFLEN - 3) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- r[ctr++] = t;
- }
-#endif
-
- return ctr;
-}
-
-#if ETA == 2
-unsigned int rej_eta_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) {
- unsigned int ctr, pos;
- uint32_t good;
- __m256i f0, f1, f2;
- __m128i g0, g1;
- const __m256i mask = _mm256_set1_epi8(15);
- const __m256i eta = _mm256_set1_epi8(ETA);
- const __m256i bound = mask;
- const __m256i v = _mm256_set1_epi32(-6560);
- const __m256i p = _mm256_set1_epi32(5);
-
- ctr = pos = 0;
- while(ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) {
- f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos]));
- f1 = _mm256_slli_epi16(f0,4);
- f0 = _mm256_or_si256(f0,f1);
- f0 = _mm256_and_si256(f0,mask);
-
- f1 = _mm256_sub_epi8(f0,bound);
- f0 = _mm256_sub_epi8(eta,f0);
- good = _mm256_movemask_epi8(f1);
-
- g0 = _mm256_castsi256_si128(f0);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm256_extracti128_si256(f0,1);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good);
- pos += 4;
- }
-
- uint32_t t0, t1;
- while(ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- r[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < N) {
- t1 = t1 - (205*t1 >> 10)*5;
- r[ctr++] = 2 - t1;
- }
- }
-
- return ctr;
-}
-
-#elif ETA == 4
-unsigned int rej_eta_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) {
- unsigned int ctr, pos;
- uint32_t good;
- __m256i f0, f1;
- __m128i g0, g1;
- const __m256i mask = _mm256_set1_epi8(15);
- const __m256i eta = _mm256_set1_epi8(4);
- const __m256i bound = _mm256_set1_epi8(9);
-
- ctr = pos = 0;
- while(ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) {
- f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos]));
- f1 = _mm256_slli_epi16(f0,4);
- f0 = _mm256_or_si256(f0,f1);
- f0 = _mm256_and_si256(f0,mask);
-
- f1 = _mm256_sub_epi8(f0,bound);
- f0 = _mm256_sub_epi8(eta,f0);
- good = _mm256_movemask_epi8(f1);
-
- g0 = _mm256_castsi256_si128(f0);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm256_extracti128_si256(f0,1);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good);
- pos += 4;
- }
-
- uint32_t t0, t1;
- while(ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
- if(t0 < 9)
- r[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < N)
- r[ctr++] = 4 - t1;
- }
-
- return ctr;
-}
-#endif
+++ /dev/null
-#ifndef REJSAMPLE_H
-#define REJSAMPLE_H
-
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-
-#define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
-#define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
-
-#if ETA == 2
-#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-#elif ETA == 4
-#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-#endif
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
-
-#define idxlut DILITHIUM_NAMESPACE(idxlut)
-extern const uint8_t idxlut[256][8];
-
-#define rej_uniform_avx DILITHIUM_NAMESPACE(rej_uniform_avx)
-unsigned int rej_uniform_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN+8]);
-
-#define rej_eta_avx DILITHIUM_NAMESPACE(rej_eta_avx)
-unsigned int rej_eta_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]);
-
-#endif
-
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include <string.h>
-#include "params.h"
-#include "rounding.h"
-#include "rejsample.h"
-#include "consts.h"
-
-#define _mm256_blendv_epi32(a,b,mask) \
- _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \
- _mm256_castsi256_ps(b), \
- _mm256_castsi256_ps(mask)))
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field elements a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be positive standard representative.
-*
-* Arguments: - __m256i *a1: output array of length N/8 with high bits
-* - __m256i *a0: output array of length N/8 with low bits a0
-* - const __m256i *a: input array of length N/8
-*
-**************************************************/
-void power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1;
- const __m256i mask = _mm256_set1_epi32(-(1 << D));
- const __m256i half = _mm256_set1_epi32((1 << (D-1)) - 1);
-
- for(i = 0; i < N/8; ++i) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,half);
- f0 = _mm256_and_si256(f1,mask);
- f1 = _mm256_srli_epi32(f1,D);
- f0 = _mm256_sub_epi32(f,f0);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low parts a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod Q - Q < 0. Assumes a to be positive standard
-* representative.
-*
-* Arguments: - __m256i *a1: output array of length N/8 with high parts
-* - __m256i *a0: output array of length N/8 with low parts a0
-* - const __m256i *a: input array of length N/8
-*
-**************************************************/
-#if GAMMA2 == (Q-1)/32
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i hq = _mm256_srli_epi32(q,1);
- const __m256i v = _mm256_set1_epi32(1025);
- const __m256i alpha = _mm256_set1_epi32(2*GAMMA2);
- const __m256i off = _mm256_set1_epi32(127);
- const __m256i shift = _mm256_set1_epi32(512);
- const __m256i mask = _mm256_set1_epi32(15);
-
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,off);
- f1 = _mm256_srli_epi32(f1,7);
- f1 = _mm256_mulhi_epu16(f1,v);
- f1 = _mm256_mulhrs_epi16(f1,shift);
- f1 = _mm256_and_si256(f1,mask);
- f0 = _mm256_mullo_epi32(f1,alpha);
- f0 = _mm256_sub_epi32(f,f0);
- f = _mm256_cmpgt_epi32(f0,hq);
- f = _mm256_and_si256(f,q);
- f0 = _mm256_sub_epi32(f0,f);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-
-#elif GAMMA2 == (Q-1)/88
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1,t;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i hq = _mm256_srli_epi32(q,1);
- const __m256i v = _mm256_set1_epi32(11275);
- const __m256i alpha = _mm256_set1_epi32(2*GAMMA2);
- const __m256i off = _mm256_set1_epi32(127);
- const __m256i shift = _mm256_set1_epi32(128);
- const __m256i max = _mm256_set1_epi32(43);
- const __m256i zero = _mm256_setzero_si256();
-
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,off);
- f1 = _mm256_srli_epi32(f1,7);
- f1 = _mm256_mulhi_epu16(f1,v);
- f1 = _mm256_mulhrs_epi16(f1,shift);
- t = _mm256_sub_epi32(max,f1);
- f1 = _mm256_blendv_epi32(f1,zero,t);
- f0 = _mm256_mullo_epi32(f1,alpha);
- f0 = _mm256_sub_epi32(f,f0);
- f = _mm256_cmpgt_epi32(f0,hq);
- f = _mm256_and_si256(f,q);
- f0 = _mm256_sub_epi32(f0,f);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-#endif
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute indices of polynomial coefficients whose low bits
-* overflow into the high bits.
-*
-* Arguments: - uint8_t *hint: hint array
-* - const __m256i *a0: low bits of input elements
-* - const __m256i *a1: high bits of input elements
-*
-* Returns number of overflowing low bits
-**************************************************/
-unsigned int make_hint_avx(uint8_t hint[N], const __m256i * restrict a0, const __m256i * restrict a1)
-{
- unsigned int i, n = 0;
- __m256i f0, f1, g0, g1;
- uint32_t bad;
- uint64_t idx;
- const __m256i low = _mm256_set1_epi32(-GAMMA2);
- const __m256i high = _mm256_set1_epi32(GAMMA2);
-
- for(i = 0; i < N/8; ++i) {
- f0 = _mm256_load_si256(&a0[i]);
- f1 = _mm256_load_si256(&a1[i]);
- g0 = _mm256_abs_epi32(f0);
- g0 = _mm256_cmpgt_epi32(g0,high);
- g1 = _mm256_cmpeq_epi32(f0,low);
- g1 = _mm256_sign_epi32(g1,f1);
- g0 = _mm256_or_si256(g0,g1);
-
- bad = _mm256_movemask_ps((__m256)g0);
- memcpy(&idx,idxlut[bad],8);
- idx += (uint64_t)0x0808080808080808*i;
- memcpy(&hint[n],&idx,8);
- n += _mm_popcnt_u32(bad);
- }
-
- return n;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high parts according to hint.
-*
-* Arguments: - __m256i *b: output array of length N/8 with corrected high parts
-* - const __m256i *a: input array of length N/8
-* - const __m256i *a: input array of length N/8 with hint bits
-*
-**************************************************/
-void use_hint_avx(__m256i *b, const __m256i *a, const __m256i * restrict hint) {
- unsigned int i;
- __m256i a0[N/8];
- __m256i f,g,h,t;
- const __m256i zero = _mm256_setzero_si256();
-#if GAMMA2 == (Q-1)/32
- const __m256i mask = _mm256_set1_epi32(15);
-#elif GAMMA2 == (Q-1)/88
- const __m256i max = _mm256_set1_epi32(43);
-#endif
-
- decompose_avx(b, a0, a);
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a0[i]);
- g = _mm256_load_si256(&b[i]);
- h = _mm256_load_si256(&hint[i]);
- t = _mm256_blendv_epi32(zero,h,f);
- t = _mm256_slli_epi32(t,1);
- h = _mm256_sub_epi32(h,t);
- g = _mm256_add_epi32(g,h);
-#if GAMMA2 == (Q-1)/32
- g = _mm256_and_si256(g,mask);
-#elif GAMMA2 == (Q-1)/88
- g = _mm256_blendv_epi32(g,max,g);
- f = _mm256_cmpgt_epi32(g,max);
- g = _mm256_blendv_epi32(g,zero,f);
-#endif
- _mm256_store_si256(&b[i],g);
- }
-}
+++ /dev/null
-#ifndef ROUNDING_H
-#define ROUNDING_H
-
-#include <stdint.h>
-#include <immintrin.h>
-#include "params.h"
-
-#define power2round_avx DILITHIUM_NAMESPACE(power2round_avx)
-void power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a);
-#define decompose_avx DILITHIUM_NAMESPACE(decompose_avx)
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a);
-#define make_hint_avx DILITHIUM_NAMESPACE(make_hint_avx)
-unsigned int make_hint_avx(uint8_t hint[N], const __m256i *a0, const __m256i *a1);
-#define use_hint_avx DILITHIUM_NAMESPACE(use_hint_avx)
-void use_hint_avx(__m256i *b, const __m256i *a, const __m256i *hint);
-
-#endif
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.text
-nttunpack128_avx:
-#load
-vmovdqa (%rdi),%ymm4
-vmovdqa 32(%rdi),%ymm5
-vmovdqa 64(%rdi),%ymm6
-vmovdqa 96(%rdi),%ymm7
-vmovdqa 128(%rdi),%ymm8
-vmovdqa 160(%rdi),%ymm9
-vmovdqa 192(%rdi),%ymm10
-vmovdqa 224(%rdi),%ymm11
-
-shuffle8 4,8,3,8
-shuffle8 5,9,4,9
-shuffle8 6,10,5,10
-shuffle8 7,11,6,11
-
-shuffle4 3,5,7,5
-shuffle4 8,10,3,10
-shuffle4 4,6,8,6
-shuffle4 9,11,4,11
-
-shuffle2 7,8,9,8
-shuffle2 5,6,7,6
-shuffle2 3,4,5,4
-shuffle2 10,11,3,11
-
-#store
-vmovdqa %ymm9,(%rdi)
-vmovdqa %ymm8,32(%rdi)
-vmovdqa %ymm7,64(%rdi)
-vmovdqa %ymm6,96(%rdi)
-vmovdqa %ymm5,128(%rdi)
-vmovdqa %ymm4,160(%rdi)
-vmovdqa %ymm3,192(%rdi)
-vmovdqa %ymm11,224(%rdi)
-
-ret
-
-.global cdecl(nttunpack_avx)
-cdecl(nttunpack_avx):
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-ret
+++ /dev/null
-.macro shuffle8 r0,r1,r2,r3
-vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2
-vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle4 r0,r1,r2,r3
-vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2
-vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle2 r0,r1,r2,r3
-#vpsllq $32,%ymm\r1,%ymm\r2
-vmovsldup %ymm\r1,%ymm\r2
-vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2
-vpsrlq $32,%ymm\r0,%ymm\r0
-#vmovshdup %ymm\r0,%ymm\r0
-vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle1 r0,r1,r2,r3
-vpslld $16,%ymm\r1,%ymm\r2
-vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2
-vpsrld $16,%ymm\r0,%ymm\r0
-vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
+++ /dev/null
-#include <stdint.h>
-#include <string.h>
-#include "align.h"
-#include "params.h"
-#include "sign.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "randombytes.h"
-#include "symmetric.h"
-#include "fips202.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-
-#ifndef DILITHIUM_USE_AES
-static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], const uint8_t rho[SEEDBYTES], unsigned int i) {
- switch(i) {
- case 0:
- polyvec_matrix_expand_row0(buf, buf + 1, rho);
- *row = buf;
- break;
- case 1:
- polyvec_matrix_expand_row1(buf + 1, buf, rho);
- *row = buf + 1;
- break;
- case 2:
- polyvec_matrix_expand_row2(buf, buf + 1, rho);
- *row = buf;
- break;
- case 3:
- polyvec_matrix_expand_row3(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#if K > 4
- case 4:
- polyvec_matrix_expand_row4(buf, buf + 1, rho);
- *row = buf;
- break;
- case 5:
- polyvec_matrix_expand_row5(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#endif
-#if K > 6
- case 6:
- polyvec_matrix_expand_row6(buf, buf + 1, rho);
- *row = buf;
- break;
- case 7:
- polyvec_matrix_expand_row7(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#endif
- }
-}
-#endif
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- unsigned int i;
- uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- const uint8_t *rho, *rhoprime, *key;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
- polyvecl rowbuf[2];
-#endif
- polyvecl s1, *row = rowbuf;
- polyveck s2;
- poly t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Store rho, key */
- memcpy(pk, rho, SEEDBYTES);
- memcpy(sk, rho, SEEDBYTES);
- memcpy(sk + SEEDBYTES, key, SEEDBYTES);
-
- /* Sample short vectors s1 and s2 */
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
- aes256_ctx_release(&aesctx);
-#elif K == 4 && L == 4
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
-#elif K == 6 && L == 5
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s1.vec[4], &s2.vec[0], &s2.vec[1], &s2.vec[2], rhoprime, 4, 5, 6, 7);
- poly_uniform_eta_4x(&s2.vec[3], &s2.vec[4], &s2.vec[5], &t0, rhoprime, 8, 9, 10, 11);
-#elif K == 8 && L == 7
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s1.vec[4], &s1.vec[5], &s1.vec[6], &s2.vec[0], rhoprime, 4, 5, 6, 7);
- poly_uniform_eta_4x(&s2.vec[1], &s2.vec[2], &s2.vec[3], &s2.vec[4], rhoprime, 8, 9, 10, 11);
- poly_uniform_eta_4x(&s2.vec[5], &s2.vec[6], &s2.vec[7], &t0, rhoprime, 12, 13, 14, 15);
-#else
-#error
-#endif
-
- /* Pack secret vectors */
- for(i = 0; i < L; i++)
- polyeta_pack(sk + 3*SEEDBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
- for(i = 0; i < K; i++)
- polyeta_pack(sk + 3*SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
-
- /* Transform s1 */
- polyvecl_ntt(&s1);
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rho, 0);
-#endif
-
- for(i = 0; i < K; i++) {
- /* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
- polyvec_matrix_expand_row(&row, rowbuf, rho, i);
-#endif
-
- /* Compute inner-product */
- polyvecl_pointwise_acc_montgomery(&t1, row, &s1);
- poly_invntt_tomont(&t1);
-
- /* Add error polynomial */
- poly_add(&t1, &t1, &s2.vec[i]);
-
- /* Round t and pack t1, t0 */
- poly_caddq(&t1);
- poly_power2round(&t1, &t0, &t1);
- polyt1_pack(pk + SEEDBYTES + i*POLYT1_PACKEDBYTES, &t1);
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- /* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
- unsigned int i, n, pos;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint8_t hintbuf[N];
- uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
- uint64_t nonce = 0;
- polyvecl mat[K], s1, z;
- polyveck t0, s2, w1;
- poly c, tmp;
- union {
- polyvecl y;
- polyveck w0;
- } tmpv;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
-#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-#endif
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
-#endif
-
-rej:
- /* Sample intermediate vector y */
-#ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
- aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-#elif L == 4
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- nonce += 4;
-#elif L == 5
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- poly_uniform_gamma1(&z.vec[4], rhoprime, nonce + 4);
- nonce += 5;
-#elif L == 7
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- poly_uniform_gamma1_4x(&z.vec[4], &z.vec[5], &z.vec[6], &tmp,
- rhoprime, nonce + 4, nonce + 5, nonce + 6, 0);
- nonce += 7;
-#else
-#error
-#endif
-
- /* Matrix-vector product */
- tmpv.y = z;
- polyvecl_ntt(&tmpv.y);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &tmpv.y);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &tmpv.w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&c, sig);
- poly_ntt(&c);
-
- /* Compute z, reject if it reveals secret */
- for(i = 0; i < L; i++) {
- poly_pointwise_montgomery(&tmp, &c, &s1.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_add(&z.vec[i], &z.vec[i], &tmp);
- poly_reduce(&z.vec[i]);
- if(poly_chknorm(&z.vec[i], GAMMA1 - BETA))
- goto rej;
- }
-
- /* Zero hint vector in signature */
- pos = 0;
- memset(hint, 0, OMEGA);
-
- for(i = 0; i < K; i++) {
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- poly_pointwise_montgomery(&tmp, &c, &s2.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_sub(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp);
- poly_reduce(&tmpv.w0.vec[i]);
- if(poly_chknorm(&tmpv.w0.vec[i], GAMMA2 - BETA))
- goto rej;
-
- /* Compute hints */
- poly_pointwise_montgomery(&tmp, &c, &t0.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_reduce(&tmp);
- if(poly_chknorm(&tmp, GAMMA2))
- goto rej;
-
- poly_add(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp);
- n = poly_make_hint(hintbuf, &tmpv.w0.vec[i], &w1.vec[i]);
- if(pos + n > OMEGA)
- goto rej;
-
- /* Store hints in signature */
- memcpy(&hint[pos], hintbuf, n);
- hint[OMEGA + i] = pos = pos + n;
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- shake256_inc_ctx_release(&state);
- /* Pack z into signature */
- for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
-
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
- size_t i;
-
- for(i = 0; i < mlen; ++i)
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) {
- unsigned int i, j, pos = 0;
- /* polyw1_pack writes additional 14 bytes */
- ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
- uint8_t mu[CRHBYTES];
- const uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
- polyvecl rowbuf[2];
-#endif
- polyvecl *row = rowbuf;
- polyvecl z;
- poly c, w1, h;
- shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- /* Expand challenge */
- poly_challenge(&c, sig);
- poly_ntt(&c);
-
- /* Unpack z; shortness follows from unpacking */
- for(i = 0; i < L; i++) {
- polyz_unpack(&z.vec[i], sig + SEEDBYTES + i*POLYZ_PACKEDBYTES);
- poly_ntt(&z.vec[i]);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, pk, 0);
-#endif
-
- for(i = 0; i < K; i++) {
- /* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
- polyvec_matrix_expand_row(&row, rowbuf, pk, i);
-#endif
-
- /* Compute i-th row of Az - c2^Dt1 */
- polyvecl_pointwise_acc_montgomery(&w1, row, &z);
-
- polyt1_unpack(&h, pk + SEEDBYTES + i*POLYT1_PACKEDBYTES);
- poly_shiftl(&h);
- poly_ntt(&h);
- poly_pointwise_montgomery(&h, &c, &h);
-
- poly_sub(&w1, &w1, &h);
- poly_reduce(&w1);
- poly_invntt_tomont(&w1);
-
- /* Get hint polynomial and reconstruct w1 */
- memset(h.vec, 0, sizeof(poly));
- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
-
- for(j = pos; j < hint[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > pos && hint[j] <= hint[j-1]) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
- h.coeffs[hint[j]] = 1;
- }
- pos = hint[OMEGA + i];
-
- poly_caddq(&w1);
- poly_use_hint(&w1, &w1, &h);
- polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- /* Extra indices are zero for strong unforgeability */
- for(j = pos; j < OMEGA; ++j)
- if(hint[j]) return -1;
-
- /* Call random oracle and verify challenge */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(buf.coeffs[i] != sig[i])
- return -1;
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) {
- size_t i;
-
- if(smlen < CRYPTO_BYTES)
- goto badsig;
-
- *mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
- goto badsig;
- else {
- /* All good, copy msg, return 0 */
- for(i = 0; i < *mlen; ++i)
- m[i] = sm[CRYPTO_BYTES + i];
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = -1;
- for(i = 0; i < smlen; ++i)
- m[i] = 0;
-
- return -1;
-}
+++ /dev/null
-#ifndef SIGN_H
-#define SIGN_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
+++ /dev/null
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-
-#include <stdint.h>
-#include "params.h"
-
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) aes256_ctx_release(STATE)
-
-#else
-
-#include "fips202.h"
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-#endif
-
-#endif
+++ /dev/null
-Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
-or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
-
-For Keccak and the random number generator
-we are using public-domain code from sources
-and by authors listed in comments on top of
-the respective files.
+++ /dev/null
-#ifndef API_H
-#define API_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_ref_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_ref_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_ref_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium2aes_ref_PUBLICKEYBYTES pqcrystals_dilithium2_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_ref_SECRETKEYBYTES pqcrystals_dilithium2_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_ref_BYTES pqcrystals_dilithium2_ref_BYTES
-
-int pqcrystals_dilithium2aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
-
-#define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_ref_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_ref_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3aes_ref_PUBLICKEYBYTES pqcrystals_dilithium3_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_ref_SECRETKEYBYTES pqcrystals_dilithium3_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_ref_BYTES pqcrystals_dilithium3_ref_BYTES
-
-int pqcrystals_dilithium3aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
-
-#define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_ref_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_ref_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5aes_ref_PUBLICKEYBYTES pqcrystals_dilithium5_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_ref_SECRETKEYBYTES pqcrystals_dilithium5_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_ref_BYTES pqcrystals_dilithium5_ref_BYTES
-
-int pqcrystals_dilithium5aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_ref_##s
-#endif
-#else
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
-#endif
-#endif
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "ntt.h"
-#include "reduce.h"
-
-static const int32_t zetas[N] = {
- 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468,
- 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103,
- 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549,
- -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005,
- 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439,
- -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299,
- -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596,
- 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779,
- -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221,
- -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922,
- 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047,
- -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430,
- -3343383, 264944, 508951, 3097992, 44288, -1100098, 904516, 3958618,
- -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856,
- 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330,
- 1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961,
- 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462,
- 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378,
- 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500,
- -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838,
- 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044,
- 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974,
- -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970,
- -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642,
- -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031,
- -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993,
- -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385,
- -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107,
- -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078,
- -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893,
- -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687,
- -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782
-};
-
-/*************************************************
-* Name: ntt
-*
-* Description: Forward NTT, in-place. No modular reduction is performed after
-* additions or subtractions. Output vector is in bitreversed order.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void ntt(int32_t a[N]) {
- unsigned int len, start, j, k;
- int32_t zeta, t;
-
- k = 0;
- for(len = 128; len > 0; len >>= 1) {
- for(start = 0; start < N; start = j + len) {
- zeta = zetas[++k];
- for(j = start; j < start + len; ++j) {
- t = montgomery_reduce((int64_t)zeta * a[j + len]);
- a[j + len] = a[j] - t;
- a[j] = a[j] + t;
- }
- }
- }
-}
-
-/*************************************************
-* Name: invntt_tomont
-*
-* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
-* In-place. No modular reductions after additions or
-* subtractions; input coefficients need to be smaller than
-* Q in absolute value. Output coefficient are smaller than Q in
-* absolute value.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void invntt_tomont(int32_t a[N]) {
- unsigned int start, len, j, k;
- int32_t t, zeta;
- const int32_t f = 41978; // mont^2/256
-
- k = 256;
- for(len = 1; len < N; len <<= 1) {
- for(start = 0; start < N; start = j + len) {
- zeta = -zetas[--k];
- for(j = start; j < start + len; ++j) {
- t = a[j];
- a[j] = t + a[j + len];
- a[j + len] = t - a[j + len];
- a[j + len] = montgomery_reduce((int64_t)zeta * a[j + len]);
- }
- }
- }
-
- for(j = 0; j < N; ++j) {
- a[j] = montgomery_reduce((int64_t)f * a[j]);
- }
-}
+++ /dev/null
-#ifndef NTT_H
-#define NTT_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define ntt DILITHIUM_NAMESPACE(ntt)
-void ntt(int32_t a[N]);
-
-#define invntt_tomont DILITHIUM_NAMESPACE(invntt_tomont)
-void invntt_tomont(int32_t a[N]);
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- pk[i] = rho[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = pk[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = rho[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = key[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = tr[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s2->vec[i]);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt0_pack(sk + i*POLYT0_PACKEDBYTES, &t0->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- key[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- tr[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i=0; i < L; ++i)
- polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyeta_unpack(&s2->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyt0_unpack(&t0->vec[i], sk + i*POLYT0_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h)
-{
- unsigned int i, j, k;
-
- for(i=0; i < SEEDBYTES; ++i)
- sig[i] = c[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for(i = 0; i < OMEGA + K; ++i)
- sig[i] = 0;
-
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- if(h->vec[i].coeffs[j] != 0)
- sig[k++] = j;
-
- sig[OMEGA + i] = k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES])
-{
- unsigned int i, j, k;
-
- for(i = 0; i < SEEDBYTES; ++i)
- c[i] = sig[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- h->vec[i].coeffs[j] = 0;
-
- if(sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA)
- return 1;
-
- for(j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > k && sig[j] <= sig[j-1]) return 1;
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for(j = k; j < OMEGA; ++j)
- if(sig[j])
- return 1;
-
- return 0;
-}
+++ /dev/null
-#ifndef PACKING_H
-#define PACKING_H
-
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-#ifndef PARAMS_H
-#define PARAMS_H
-
-#include "config.h"
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-#if DILITHIUM_MODE == 2
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((Q-1)/88)
-#define OMEGA 80
-
-#elif DILITHIUM_MODE == 3
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 55
-
-#elif DILITHIUM_MODE == 5
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 75
-
-#endif
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#if ETA == 2
-#define POLYETA_PACKEDBYTES 96
-#elif ETA == 4
-#define POLYETA_PACKEDBYTES 128
-#endif
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-#include "ntt.h"
-#include "reduce.h"
-#include "rounding.h"
-#include "symmetric.h"
-
-#ifdef DBENCH
-#include "test/cpucycles.h"
-extern const uint64_t timing_overhead;
-extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
-#define DBENCH_START() uint64_t time = cpucycles()
-#define DBENCH_STOP(t) t += cpucycles() - time - timing_overhead
-#else
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-#endif
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_reduce(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] = reduce32(a->coeffs[i]);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_caddq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_caddq(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] = caddq(a->coeffs[i]);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = a->coeffs[i] - b->coeffs[i];
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] <<= D;
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_tomont(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_power2round(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a1->coeffs[i] = power2round(&a0->coeffs[i], a->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a1->coeffs[i] = decompose(&a0->coeffs[i], a->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint polynomial. The coefficients of which indicate
-* whether the low bits of the corresponding coefficient of
-* the input polynomial overflow into the high bits.
-*
-* Arguments: - poly *h: pointer to output hint polynomial
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
- unsigned int i, s = 0;
- DBENCH_START();
-
- for(i = 0; i < N; ++i) {
- h->coeffs[i] = make_hint(a0->coeffs[i], a1->coeffs[i]);
- s += h->coeffs[i];
- }
-
- DBENCH_STOP(*tround);
- return s;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- b->coeffs[i] = use_hint(a->coeffs[i], h->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input coefficients were reduced by reduce32().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int32_t t;
- DBENCH_START();
-
- if(B > (Q-1)/8)
- return 1;
-
- /* It is ok to leak which coefficient violates the bound since
- the probability for each coefficient is independent of secret
- data but we must not leak the sign of the centralized representative. */
- for(i = 0; i < N; ++i) {
- /* Absolute value */
- t = a->coeffs[i] >> 31;
- t = a->coeffs[i] - (t & 2*a->coeffs[i]);
-
- if(t >= B) {
- DBENCH_STOP(*tsample);
- return 1;
- }
- }
-
- DBENCH_STOP(*tsample);
- return 0;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- a[ctr++] = t;
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce)
-{
- unsigned int i, ctr, off;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES + 2];
- stream128_state state;
-
- stream128_init(&state, seed, nonce);
- stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state);
-
- ctr = rej_uniform(a->coeffs, N, buf, buflen);
-
- while(ctr < N) {
- off = buflen % 3;
- for(i = 0; i < off; ++i)
- buf[i] = buf[buflen - off + i];
-
- stream128_squeezeblocks(buf + off, 1, &state);
- buflen = STREAM128_BLOCKBYTES + off;
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
- }
- stream128_release(&state);
-}
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-#if ETA == 2
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- a[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < len) {
- t1 = t1 - (205*t1 >> 10)*5;
- a[ctr++] = 2 - t1;
- }
-#elif ETA == 4
- if(t0 < 9)
- a[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < len)
- a[ctr++] = 4 - t1;
-#endif
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#if ETA == 2
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-#elif ETA == 4
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-#endif
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
-{
- unsigned int ctr;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr = rej_eta(a->coeffs, N, buf, buflen);
-
- while(ctr < N) {
- stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
- }
- stream256_release(&state);
-}
-
-/*************************************************
-* Name: poly_uniform_gamma1m1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
-{
- uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- stream256_release(&state);
- polyz_unpack(a, buf);
-}
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- uint8_t buf[SHAKE256_RATE];
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_squeezeblocks(buf, 1, &state);
-
- signs = 0;
- for(i = 0; i < 8; ++i)
- signs |= (uint64_t)buf[i] << 8*i;
- pos = 8;
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = 0;
- for(i = N-TAU; i < N; ++i) {
- do {
- if(pos >= SHAKE256_RATE) {
- shake256_squeezeblocks(buf, 1, &state);
- pos = 0;
- }
-
- b = buf[pos++];
- } while(b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- t[0] = ETA - a->coeffs[8*i+0];
- t[1] = ETA - a->coeffs[8*i+1];
- t[2] = ETA - a->coeffs[8*i+2];
- t[3] = ETA - a->coeffs[8*i+3];
- t[4] = ETA - a->coeffs[8*i+4];
- t[5] = ETA - a->coeffs[8*i+5];
- t[6] = ETA - a->coeffs[8*i+6];
- t[7] = ETA - a->coeffs[8*i+7];
-
- r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- t[0] = ETA - a->coeffs[2*i+0];
- t[1] = ETA - a->coeffs[2*i+1];
- r[i] = t[0] | (t[1] << 4);
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7;
- r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7;
- r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7;
- r->coeffs[8*i+3] = (a[3*i+1] >> 1) & 7;
- r->coeffs[8*i+4] = (a[3*i+1] >> 4) & 7;
- r->coeffs[8*i+5] = ((a[3*i+1] >> 7) | (a[3*i+2] << 1)) & 7;
- r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7;
- r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7;
-
- r->coeffs[8*i+0] = ETA - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = ETA - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = ETA - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = ETA - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = ETA - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = ETA - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = ETA - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = ETA - r->coeffs[8*i+7];
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[i] & 0x0F;
- r->coeffs[2*i+1] = a[i] >> 4;
- r->coeffs[2*i+0] = ETA - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = ETA - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r[5*i+0] = (a->coeffs[4*i+0] >> 0);
- r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2);
- r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4);
- r[5*i+3] = (a->coeffs[4*i+2] >> 4) | (a->coeffs[4*i+3] << 6);
- r[5*i+4] = (a->coeffs[4*i+3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt1_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF;
- r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF;
- r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF;
- r->coeffs[4*i+3] = ((a[5*i+3] >> 6) | ((uint32_t)a[5*i+4] << 2)) & 0x3FF;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- t[0] = (1 << (D-1)) - a->coeffs[8*i+0];
- t[1] = (1 << (D-1)) - a->coeffs[8*i+1];
- t[2] = (1 << (D-1)) - a->coeffs[8*i+2];
- t[3] = (1 << (D-1)) - a->coeffs[8*i+3];
- t[4] = (1 << (D-1)) - a->coeffs[8*i+4];
- t[5] = (1 << (D-1)) - a->coeffs[8*i+5];
- t[6] = (1 << (D-1)) - a->coeffs[8*i+6];
- t[7] = (1 << (D-1)) - a->coeffs[8*i+7];
-
- r[13*i+ 0] = t[0];
- r[13*i+ 1] = t[0] >> 8;
- r[13*i+ 1] |= t[1] << 5;
- r[13*i+ 2] = t[1] >> 3;
- r[13*i+ 3] = t[1] >> 11;
- r[13*i+ 3] |= t[2] << 2;
- r[13*i+ 4] = t[2] >> 6;
- r[13*i+ 4] |= t[3] << 7;
- r[13*i+ 5] = t[3] >> 1;
- r[13*i+ 6] = t[3] >> 9;
- r[13*i+ 6] |= t[4] << 4;
- r[13*i+ 7] = t[4] >> 4;
- r[13*i+ 8] = t[4] >> 12;
- r[13*i+ 8] |= t[5] << 1;
- r[13*i+ 9] = t[5] >> 7;
- r[13*i+ 9] |= t[6] << 6;
- r[13*i+10] = t[6] >> 2;
- r[13*i+11] = t[6] >> 10;
- r[13*i+11] |= t[7] << 3;
- r[13*i+12] = t[7] >> 5;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = a[13*i+0];
- r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8;
- r->coeffs[8*i+0] &= 0x1FFF;
-
- r->coeffs[8*i+1] = a[13*i+1] >> 5;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+2] << 3;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+3] << 11;
- r->coeffs[8*i+1] &= 0x1FFF;
-
- r->coeffs[8*i+2] = a[13*i+3] >> 2;
- r->coeffs[8*i+2] |= (uint32_t)a[13*i+4] << 6;
- r->coeffs[8*i+2] &= 0x1FFF;
-
- r->coeffs[8*i+3] = a[13*i+4] >> 7;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+5] << 1;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+6] << 9;
- r->coeffs[8*i+3] &= 0x1FFF;
-
- r->coeffs[8*i+4] = a[13*i+6] >> 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+7] << 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+8] << 12;
- r->coeffs[8*i+4] &= 0x1FFF;
-
- r->coeffs[8*i+5] = a[13*i+8] >> 1;
- r->coeffs[8*i+5] |= (uint32_t)a[13*i+9] << 7;
- r->coeffs[8*i+5] &= 0x1FFF;
-
- r->coeffs[8*i+6] = a[13*i+9] >> 6;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+10] << 2;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+11] << 10;
- r->coeffs[8*i+6] &= 0x1FFF;
-
- r->coeffs[8*i+7] = a[13*i+11] >> 3;
- r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5;
- r->coeffs[8*i+7] &= 0x1FFF;
-
- r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4*i+0];
- t[1] = GAMMA1 - a->coeffs[4*i+1];
- t[2] = GAMMA1 - a->coeffs[4*i+2];
- t[3] = GAMMA1 - a->coeffs[4*i+3];
-
- r[9*i+0] = t[0];
- r[9*i+1] = t[0] >> 8;
- r[9*i+2] = t[0] >> 16;
- r[9*i+2] |= t[1] << 2;
- r[9*i+3] = t[1] >> 6;
- r[9*i+4] = t[1] >> 14;
- r[9*i+4] |= t[2] << 4;
- r[9*i+5] = t[2] >> 4;
- r[9*i+6] = t[2] >> 12;
- r[9*i+6] |= t[3] << 6;
- r[9*i+7] = t[3] >> 2;
- r[9*i+8] = t[3] >> 10;
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2*i+0];
- t[1] = GAMMA1 - a->coeffs[2*i+1];
-
- r[5*i+0] = t[0];
- r[5*i+1] = t[0] >> 8;
- r[5*i+2] = t[0] >> 16;
- r[5*i+2] |= t[1] << 4;
- r[5*i+3] = t[1] >> 4;
- r[5*i+4] = t[1] >> 12;
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyz_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = a[9*i+0];
- r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8;
- r->coeffs[4*i+0] |= (uint32_t)a[9*i+2] << 16;
- r->coeffs[4*i+0] &= 0x3FFFF;
-
- r->coeffs[4*i+1] = a[9*i+2] >> 2;
- r->coeffs[4*i+1] |= (uint32_t)a[9*i+3] << 6;
- r->coeffs[4*i+1] |= (uint32_t)a[9*i+4] << 14;
- r->coeffs[4*i+1] &= 0x3FFFF;
-
- r->coeffs[4*i+2] = a[9*i+4] >> 4;
- r->coeffs[4*i+2] |= (uint32_t)a[9*i+5] << 4;
- r->coeffs[4*i+2] |= (uint32_t)a[9*i+6] << 12;
- r->coeffs[4*i+2] &= 0x3FFFF;
-
- r->coeffs[4*i+3] = a[9*i+6] >> 6;
- r->coeffs[4*i+3] |= (uint32_t)a[9*i+7] << 2;
- r->coeffs[4*i+3] |= (uint32_t)a[9*i+8] << 10;
- r->coeffs[4*i+3] &= 0x3FFFF;
-
- r->coeffs[4*i+0] = GAMMA1 - r->coeffs[4*i+0];
- r->coeffs[4*i+1] = GAMMA1 - r->coeffs[4*i+1];
- r->coeffs[4*i+2] = GAMMA1 - r->coeffs[4*i+2];
- r->coeffs[4*i+3] = GAMMA1 - r->coeffs[4*i+3];
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[5*i+0];
- r->coeffs[2*i+0] |= (uint32_t)a[5*i+1] << 8;
- r->coeffs[2*i+0] |= (uint32_t)a[5*i+2] << 16;
- r->coeffs[2*i+0] &= 0xFFFFF;
-
- r->coeffs[2*i+1] = a[5*i+2] >> 4;
- r->coeffs[2*i+1] |= (uint32_t)a[5*i+3] << 4;
- r->coeffs[2*i+1] |= (uint32_t)a[5*i+4] << 12;
- r->coeffs[2*i+0] &= 0xFFFFF;
-
- r->coeffs[2*i+0] = GAMMA1 - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = GAMMA1 - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyw1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
-#if GAMMA2 == (Q-1)/88
- for(i = 0; i < N/4; ++i) {
- r[3*i+0] = a->coeffs[4*i+0];
- r[3*i+0] |= a->coeffs[4*i+1] << 6;
- r[3*i+1] = a->coeffs[4*i+1] >> 2;
- r[3*i+1] |= a->coeffs[4*i+2] << 4;
- r[3*i+2] = a->coeffs[4*i+2] >> 4;
- r[3*i+2] |= a->coeffs[4*i+3] << 2;
- }
-#elif GAMMA2 == (Q-1)/32
- for(i = 0; i < N/2; ++i)
- r[i] = a->coeffs[2*i+0] | (a->coeffs[2*i+1] << 4);
-#endif
-
- DBENCH_STOP(*tpack);
-}
+++ /dev/null
-#ifndef POLY_H
-#define POLY_H
-
-#include <stdint.h>
-#include "params.h"
-
-typedef struct {
- int32_t coeffs[N];
-} poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t *r, const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t *a);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t *r, const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t *a);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t *r, const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t *a);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t *r, const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
-
- for(i = 0; i < K; ++i)
- for(j = 0; j < L; ++j)
- poly_uniform(&mat[i].vec[j], rho, (i << 8) + j);
-}
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v)
-{
- unsigned int i;
- poly t;
-
- poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]);
- for(i = 1; i < L; ++i) {
- poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]);
- poly_add(w, w, &t);
- }
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_caddq(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_shiftl(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - polyveck *h: pointer to output vector
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1)
-{
- unsigned int i, s = 0;
-
- for(i = 0; i < K; ++i)
- s += poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
-
- return s;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
-}
-
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyw1_pack(&r[i*POLYW1_PACKEDBYTES], &w1->vec[i]);
-}
+++ /dev/null
-#ifndef POLYVEC_H
-#define POLYVEC_H
-
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery \
- DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "reduce.h"
-
-/*************************************************
-* Name: montgomery_reduce
-*
-* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
-* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
-*
-* Arguments: - int64_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t montgomery_reduce(int64_t a) {
- int32_t t;
-
- t = (int64_t)(int32_t)a*QINV;
- t = (a - (int64_t)t*Q) >> 32;
- return t;
-}
-
-/*************************************************
-* Name: reduce32
-*
-* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t reduce32(int32_t a) {
- int32_t t;
-
- t = (a + (1 << 22)) >> 23;
- t = a - t*Q;
- return t;
-}
-
-/*************************************************
-* Name: caddq
-*
-* Description: Add Q if input coefficient is negative.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t caddq(int32_t a) {
- a += (a >> 31) & Q;
- return a;
-}
-
-/*************************************************
-* Name: freeze
-*
-* Description: For finite field element a, compute standard
-* representative r = a mod^+ Q.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t freeze(int32_t a) {
- a = reduce32(a);
- a = caddq(a);
- return a;
-}
+++ /dev/null
-#ifndef REDUCE_H
-#define REDUCE_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define MONT -4186625 // 2^32 % Q
-#define QINV 58728449 // q^(-1) mod 2^32
-
-#define montgomery_reduce DILITHIUM_NAMESPACE(montgomery_reduce)
-int32_t montgomery_reduce(int64_t a);
-
-#define reduce32 DILITHIUM_NAMESPACE(reduce32)
-int32_t reduce32(int32_t a);
-
-#define caddq DILITHIUM_NAMESPACE(caddq)
-int32_t caddq(int32_t a);
-
-#define freeze DILITHIUM_NAMESPACE(freeze)
-int32_t freeze(int32_t a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "rounding.h"
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field element a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be standard representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t power2round(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + (1 << (D-1)) - 1) >> D;
- *a0 = a - (a1 << D);
- return a1;
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low bits a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard
-* representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t decompose(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + 127) >> 7;
-#if GAMMA2 == (Q-1)/32
- a1 = (a1*1025 + (1 << 21)) >> 22;
- a1 &= 15;
-#elif GAMMA2 == (Q-1)/88
- a1 = (a1*11275 + (1 << 23)) >> 24;
- a1 ^= ((43 - a1) >> 31) & a1;
-#endif
-
- *a0 = a - a1*2*GAMMA2;
- *a0 -= (((Q-1)/2 - *a0) >> 31) & Q;
- return a1;
-}
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute hint bit indicating whether the low bits of the
-* input element overflow into the high bits.
-*
-* Arguments: - int32_t a0: low bits of input element
-* - int32_t a1: high bits of input element
-*
-* Returns 1 if overflow.
-**************************************************/
-unsigned int make_hint(int32_t a0, int32_t a1) {
- if(a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high bits according to hint.
-*
-* Arguments: - int32_t a: input element
-* - unsigned int hint: hint bit
-*
-* Returns corrected high bits.
-**************************************************/
-int32_t use_hint(int32_t a, unsigned int hint) {
- int32_t a0, a1;
-
- a1 = decompose(&a0, a);
- if(hint == 0)
- return a1;
-
-#if GAMMA2 == (Q-1)/32
- if(a0 > 0)
- return (a1 + 1) & 15;
- else
- return (a1 - 1) & 15;
-#elif GAMMA2 == (Q-1)/88
- if(a0 > 0)
- return (a1 == 43) ? 0 : a1 + 1;
- else
- return (a1 == 0) ? 43 : a1 - 1;
-#endif
-}
+++ /dev/null
-#ifndef ROUNDING_H
-#define ROUNDING_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define power2round DILITHIUM_NAMESPACE(power2round)
-int32_t power2round(int32_t *a0, int32_t a);
-
-#define decompose DILITHIUM_NAMESPACE(decompose)
-int32_t decompose(int32_t *a0, int32_t a);
-
-#define make_hint DILITHIUM_NAMESPACE(make_hint)
-unsigned int make_hint(int32_t a0, int32_t a1);
-
-#define use_hint DILITHIUM_NAMESPACE(use_hint)
-int32_t use_hint(int32_t a, unsigned int hint);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "sign.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "randombytes.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
- const uint8_t *rho, *rhoprime, *key;
- polyvecl mat[K];
- polyvecl s1, s1hat;
- polyveck s2, t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Expand matrix */
- polyvec_matrix_expand(mat, rho);
-
- /* Sample short vectors s1 and s2 */
- polyvecl_uniform_eta(&s1, rhoprime, 0);
- polyveck_uniform_eta(&s2, rhoprime, L);
-
- /* Matrix-vector multiplication */
- s1hat = s1;
- polyvecl_ntt(&s1hat);
- polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat);
- polyveck_reduce(&t1);
- polyveck_invntt_tomont(&t1);
-
- /* Add error vector s2 */
- polyveck_add(&t1, &t1, &s2);
-
- /* Extract t1 and write public key */
- polyveck_caddq(&t1);
- polyveck_power2round(&t1, &t0, &t1);
- pack_pk(pk, rho, &t1);
-
- /* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
-{
- unsigned int n;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint16_t nonce = 0;
- polyvecl mat[K], s1, y, z;
- polyveck t0, s2, w1, w0, h;
- poly cp;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
-#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-#endif
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-rej:
- /* Sample intermediate vector y */
- polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
-
- /* Matrix-vector multiplication */
- z = y;
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&cp, sig);
- poly_ntt(&cp);
-
- /* Compute z, reject if it reveals secret */
- polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
- polyvecl_invntt_tomont(&z);
- polyvecl_add(&z, &z, &y);
- polyvecl_reduce(&z);
- if(polyvecl_chknorm(&z, GAMMA1 - BETA))
- goto rej;
-
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
- polyveck_invntt_tomont(&h);
- polyveck_sub(&w0, &w0, &h);
- polyveck_reduce(&w0);
- if(polyveck_chknorm(&w0, GAMMA2 - BETA))
- goto rej;
-
- /* Compute hints for w1 */
- polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
- polyveck_invntt_tomont(&h);
- polyveck_reduce(&h);
- if(polyveck_chknorm(&h, GAMMA2))
- goto rej;
-
- polyveck_add(&w0, &w0, &h);
- n = polyveck_make_hint(&h, &w0, &w1);
- if(n > OMEGA)
- goto rej;
-
- shake256_inc_ctx_release(&state);
-
- /* Write signature */
- pack_sig(sig, sig, &z, &h);
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
-{
- size_t i;
-
- for(i = 0; i < mlen; ++i)
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
- size_t siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pk)
-{
- unsigned int i;
- uint8_t buf[K*POLYW1_PACKEDBYTES];
- uint8_t rho[SEEDBYTES];
- uint8_t mu[CRHBYTES];
- uint8_t c[SEEDBYTES];
- uint8_t c2[SEEDBYTES];
- poly cp;
- polyvecl mat[K], z;
- polyveck t1, w1, h;
- shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-
- unpack_pk(rho, &t1, pk);
- if(unpack_sig(c, &z, &h, sig))
- return -1;
- if(polyvecl_chknorm(&z, GAMMA1 - BETA))
- return -1;
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
- /* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
- polyvec_matrix_expand(mat, rho);
-
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-
- poly_ntt(&cp);
- polyveck_shiftl(&t1);
- polyveck_ntt(&t1);
- polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
-
- polyveck_sub(&w1, &w1, &t1);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Reconstruct w1 */
- polyveck_caddq(&w1);
- polyveck_use_hint(&w1, &w1, &h);
- polyveck_pack_w1(buf, &w1);
-
- /* Call random oracle and verify challenge */
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(c2, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(c[i] != c2[i])
- return -1;
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m,
- size_t *mlen,
- const uint8_t *sm,
- size_t smlen,
- const uint8_t *pk)
-{
- size_t i;
-
- if(smlen < CRYPTO_BYTES)
- goto badsig;
-
- *mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
- goto badsig;
- else {
- /* All good, copy msg, return 0 */
- for(i = 0; i < *mlen; ++i)
- m[i] = sm[CRYPTO_BYTES + i];
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = -1;
- for(i = 0; i < smlen; ++i)
- m[i] = 0;
-
- return -1;
-}
+++ /dev/null
-#ifndef SIGN_H
-#define SIGN_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
+++ /dev/null
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-
-#include <stdint.h>
-#include "params.h"
-
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define dilithium_aes256ctr_init DILITHIUM_NAMESPACE(dilithium_aes256ctr_init)
-void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- const uint8_t key[32],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) \
- aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) \
- aes256_ctx_release(STATE)
-
-#else
-
-#include "fips202.h"
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-#endif
-
-#endif
+++ /dev/null
-Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
-or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
-
-For Keccak and the random number generator
-we are using public-domain code from sources
-and by authors listed in comments on top of
-the respective files.
+++ /dev/null
-#ifndef ALIGN_H
-#define ALIGN_H
-
-#include <stdint.h>
-#include <immintrin.h>
-
-#define ALIGNED_UINT8(N) \
- union { \
- uint8_t coeffs[N]; \
- __m256i vec[(N+31)/32]; \
- }
-
-#define ALIGNED_INT32(N) \
- union { \
- int32_t coeffs[N]; \
- __m256i vec[(N+7)/8]; \
- }
-
-#endif
+++ /dev/null
-#ifndef API_H
-#define API_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium2aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_SECRETKEYBYTES pqcrystals_dilithium2_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_BYTES pqcrystals_dilithium2_avx2_BYTES
-
-int pqcrystals_dilithium2aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
-
-#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_SECRETKEYBYTES pqcrystals_dilithium3_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_BYTES pqcrystals_dilithium3_avx2_BYTES
-
-int pqcrystals_dilithium3aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
-
-#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_SECRETKEYBYTES pqcrystals_dilithium5_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_BYTES pqcrystals_dilithium5_avx2_BYTES
-
-int pqcrystals_dilithium5aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_avx2_##s
-#endif
-#else
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
-#endif
-#endif
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "consts.h"
-
-#define QINV 58728449 // q^(-1) mod 2^32
-#define MONT -4186625 // 2^32 mod q
-#define DIV 41978 // mont^2/256
-#define DIV_QINV -8395782
-
-const qdata_t qdata = {{
-#define _8XQ 0
- Q, Q, Q, Q, Q, Q, Q, Q,
-
-#define _8XQINV 8
- QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV,
-
-#define _8XDIV_QINV 16
- DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV,
-
-#define _8XDIV 24
- DIV, DIV, DIV, DIV, DIV, DIV, DIV, DIV,
-
-#define _ZETAS_QINV 32
- -151046689, 1830765815, -1929875198, -1927777021, 1640767044, 1477910808, 1612161320, 1640734244,
- 308362795, 308362795, 308362795, 308362795, -1815525077, -1815525077, -1815525077, -1815525077,
- -1374673747, -1374673747, -1374673747, -1374673747, -1091570561, -1091570561, -1091570561, -1091570561,
- -1929495947, -1929495947, -1929495947, -1929495947, 515185417, 515185417, 515185417, 515185417,
- -285697463, -285697463, -285697463, -285697463, 625853735, 625853735, 625853735, 625853735,
- 1727305304, 1727305304, 2082316400, 2082316400, -1364982364, -1364982364, 858240904, 858240904,
- 1806278032, 1806278032, 222489248, 222489248, -346752664, -346752664, 684667771, 684667771,
- 1654287830, 1654287830, -878576921, -878576921, -1257667337, -1257667337, -748618600, -748618600,
- 329347125, 329347125, 1837364258, 1837364258, -1443016191, -1443016191, -1170414139, -1170414139,
- -1846138265, -1631226336, -1404529459, 1838055109, 1594295555, -1076973524, -1898723372, -594436433,
- -202001019, -475984260, -561427818, 1797021249, -1061813248, 2059733581, -1661512036, -1104976547,
- -1750224323, -901666090, 418987550, 1831915353, -1925356481, 992097815, 879957084, 2024403852,
- 1484874664, -1636082790, -285388938, -1983539117, -1495136972, -950076368, -1714807468, -952438995,
- -1574918427, 1350681039, -2143979939, 1599739335, -1285853323, -993005454, -1440787840, 568627424,
- -783134478, -588790216, 289871779, -1262003603, 2135294594, -1018755525, -889861155, 1665705315,
- 1321868265, 1225434135, -1784632064, 666258756, 675310538, -1555941048, -1999506068, -1499481951,
- -695180180, -1375177022, 1777179795, 334803717, -178766299, -518252220, 1957047970, 1146323031,
- -654783359, -1974159335, 1651689966, 140455867, -1039411342, 1955560694, 1529189038, -2131021878,
- -247357819, 1518161567, -86965173, 1708872713, 1787797779, 1638590967, -120646188, -1669960606,
- -916321552, 1155548552, 2143745726, 1210558298, -1261461890, -318346816, 628664287, -1729304568,
- 1422575624, 1424130038, -1185330464, 235321234, 168022240, 1206536194, 985155484, -894060583,
- -898413, -1363460238, -605900043, 2027833504, 14253662, 1014493059, 863641633, 1819892093,
- 2124962073, -1223601433, -1920467227, -1637785316, -1536588520, 694382729, 235104446, -1045062172,
- 831969619, -300448763, 756955444, -260312805, 1554794072, 1339088280, -2040058690, -853476187,
- -2047270596, -1723816713, -1591599803, -440824168, 1119856484, 1544891539, 155290192, -973777462,
- 991903578, 912367099, -44694137, 1176904444, -421552614, -818371958, 1747917558, -325927722,
- 908452108, 1851023419, -1176751719, -1354528380, -72690498, -314284737, 985022747, 963438279,
- -1078959975, 604552167, -1021949428, 608791570, 173440395, -2126092136, -1316619236, -1039370342,
- 6087993, -110126092, 565464272, -1758099917, -1600929361, 879867909, -1809756372, 400711272,
- 1363007700, 30313375, -326425360, 1683520342, -517299994, 2027935492, -1372618620, 128353682,
- -1123881663, 137583815, -635454918, -642772911, 45766801, 671509323, -2070602178, 419615363,
- 1216882040, -270590488, -1276805128, 371462360, -1357098057, -384158533, 827959816, -596344473,
- 702390549, -279505433, -260424530, -71875110, -1208667171, -1499603926, 2036925262, -540420426,
- 746144248, -1420958686, 2032221021, 1904936414, 1257750362, 1926727420, 1931587462, 1258381762,
- 885133339, 1629985060, 1967222129, 6363718, -1287922800, 1136965286, 1779436847, 1116720494,
- 1042326957, 1405999311, 713994583, 940195359, -1542497137, 2061661095, -883155599, 1726753853,
- -1547952704, 394851342, 283780712, 776003547, 1123958025, 201262505, 1934038751, 374860238,
-
-#define _ZETAS 328
- -3975713, 25847, -2608894, -518909, 237124, -777960, -876248, 466468,
- 1826347, 1826347, 1826347, 1826347, 2353451, 2353451, 2353451, 2353451,
- -359251, -359251, -359251, -359251, -2091905, -2091905, -2091905, -2091905,
- 3119733, 3119733, 3119733, 3119733, -2884855, -2884855, -2884855, -2884855,
- 3111497, 3111497, 3111497, 3111497, 2680103, 2680103, 2680103, 2680103,
- 2725464, 2725464, 1024112, 1024112, -1079900, -1079900, 3585928, 3585928,
- -549488, -549488, -1119584, -1119584, 2619752, 2619752, -2108549, -2108549,
- -2118186, -2118186, -3859737, -3859737, -1399561, -1399561, -3277672, -3277672,
- 1757237, 1757237, -19422, -19422, 4010497, 4010497, 280005, 280005,
- 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439,
- -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299,
- -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596,
- 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779,
- -3930395, -3677745, -1452451, 2176455, -1257611, -4083598, -3190144, -3632928,
- 3412210, 2147896, -2967645, -411027, -671102, -22981, -381987, 1852771,
- -3343383, 508951, 44288, 904516, -3724342, 1653064, 2389356, 759969,
- 189548, 3159746, -2409325, 1315589, 1285669, -812732, -3019102, -3628969,
- -1528703, -3041255, 3475950, -1585221, 1939314, -1000202, -3157330, 126922,
- -983419, 2715295, -3693493, -2477047, -1228525, -1308169, 1349076, -1430430,
- 264944, 3097992, -1100098, 3958618, -8578, -3249728, -210977, -1316856,
- -3553272, -1851402, -177440, 1341330, -1584928, -1439742, -3881060, 3839961,
- 2091667, -3342478, 266997, -3520352, 900702, 495491, -655327, -3556995,
- 342297, 3437287, 2842341, 4055324, -3767016, -2994039, -1333058, -451100,
- -1279661, 1500165, -542412, -2584293, -2013608, 1957272, -3183426, 810149,
- -3038916, 2213111, -426683, -1667432, -2939036, 183443, -554416, 3937738,
- 3407706, 2244091, 2434439, -3759364, 1859098, -1613174, -3122442, -525098,
- 286988, -3342277, 2691481, 1247620, 1250494, 1869119, 1237275, 1312455,
- 1917081, 777191, -2831860, -3724270, 2432395, 3369112, 162844, 1652634,
- 3523897, -975884, 1723600, -1104333, -2235985, -976891, 3919660, 1400424,
- 2316500, -2446433, -1235728, -1197226, 909542, -43260, 2031748, -768622,
- -2437823, 1735879, -2590150, 2486353, 2635921, 1903435, -3318210, 3306115,
- -2546312, 2235880, -1671176, 594136, 2454455, 185531, 1616392, -3694233,
- 3866901, 1717735, -1803090, -260646, -420899, 1612842, -48306, -846154,
- 3817976, -3562462, 3513181, -3193378, 819034, -522500, 3207046, -3595838,
- 4108315, 203044, 1265009, 1595974, -3548272, -1050970, -1430225, -1962642,
- -1374803, 3406031, -1846953, -3776993, -164721, -1207385, 3014001, -1799107,
- 269760, 472078, 1910376, -3833893, -2286327, -3545687, -1362209, 1976782,
-}};
+++ /dev/null
-#ifndef CONSTS_H
-#define CONSTS_H
-
-#include "params.h"
-
-#define _8XQ 0
-#define _8XQINV 8
-#define _8XDIV_QINV 16
-#define _8XDIV 24
-#define _ZETAS_QINV 32
-#define _ZETAS 328
-
-/* The C ABI on MacOS exports all symbols with a leading
- * underscore. This means that any symbols we refer to from
- * C files (functions) can't be found, and all symbols we
- * refer to from ASM also can't be found.
- *
- * This define helps us get around this
- */
-#if defined(__WIN32__) || defined(__APPLE__)
-#define decorate(s) _##s
-#define _cdecl(s) decorate(s)
-#define cdecl(s) _cdecl(DILITHIUM_NAMESPACE(##s))
-#else
-#define cdecl(s) DILITHIUM_NAMESPACE(##s)
-#endif
-
-#ifndef __ASSEMBLER__
-
-#include "align.h"
-
-typedef ALIGNED_INT32(624) qdata_t;
-
-#define qdata DILITHIUM_NAMESPACE(qdata)
-extern const qdata_t qdata;
-
-#endif
-#endif
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2
-vpsubd %ymm\l,%ymm\h,%ymm12
-vpaddd %ymm\h,%ymm\l,%ymm\l
-
-vpmuldq %ymm\zl0,%ymm12,%ymm13
-vmovshdup %ymm12,%ymm\h
-vpmuldq %ymm\zl1,%ymm\h,%ymm14
-
-vpmuldq %ymm\zh0,%ymm12,%ymm12
-vpmuldq %ymm\zh1,%ymm\h,%ymm\h
-
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-
-vpsubd %ymm13,%ymm12,%ymm12
-vpsubd %ymm14,%ymm\h,%ymm\h
-
-vmovshdup %ymm12,%ymm12
-vpblendd $0xAA,%ymm\h,%ymm12,%ymm\h
-.endm
-
-.macro levels0t5 off
-vmovdqa 256*\off+ 0(%rdi),%ymm4
-vmovdqa 256*\off+ 32(%rdi),%ymm5
-vmovdqa 256*\off+ 64(%rdi),%ymm6
-vmovdqa 256*\off+ 96(%rdi),%ymm7
-vmovdqa 256*\off+128(%rdi),%ymm8
-vmovdqa 256*\off+160(%rdi),%ymm9
-vmovdqa 256*\off+192(%rdi),%ymm10
-vmovdqa 256*\off+224(%rdi),%ymm11
-
-/* level 0 */
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,5,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-40)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-40)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 6,7,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-72)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-72)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 8,9,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-104)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-104)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 10,11,1,3,2,15
-
-/* level 1 */
-vpermq $0x1B,(_ZETAS_QINV+168-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+168-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,6,1,3,2,15
-butterfly 5,7,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+168-8*\off-40)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+168-8*\off-40)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 8,10,1,3,2,15
-butterfly 9,11,1,3,2,15
-
-/* level 2 */
-vpermq $0x1B,(_ZETAS_QINV+104-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+104-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,8,1,3,2,15
-butterfly 5,9,1,3,2,15
-butterfly 6,10,1,3,2,15
-butterfly 7,11,1,3,2,15
-
-/* level 3 */
-shuffle2 4,5,3,5
-shuffle2 6,7,4,7
-shuffle2 8,9,6,9
-shuffle2 10,11,8,11
-
-vpermq $0x1B,(_ZETAS_QINV+72-8*\off-8)*4(%rsi),%ymm1
-vpermq $0x1B,(_ZETAS+72-8*\off-8)*4(%rsi),%ymm2
-butterfly 3,5
-butterfly 4,7
-butterfly 6,9
-butterfly 8,11
-
-/* level 4 */
-shuffle4 3,4,10,4
-shuffle4 6,8,3,8
-shuffle4 5,7,6,7
-shuffle4 9,11,5,11
-
-vpermq $0x1B,(_ZETAS_QINV+40-8*\off-8)*4(%rsi),%ymm1
-vpermq $0x1B,(_ZETAS+40-8*\off-8)*4(%rsi),%ymm2
-butterfly 10,4
-butterfly 3,8
-butterfly 6,7
-butterfly 5,11
-
-/* level 5 */
-shuffle8 10,3,9,3
-shuffle8 6,5,10,5
-shuffle8 4,8,6,8
-shuffle8 7,11,4,11
-
-vpbroadcastd (_ZETAS_QINV+7-\off)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+7-\off)*4(%rsi),%ymm2
-butterfly 9,3
-butterfly 10,5
-butterfly 6,8
-butterfly 4,11
-
-vmovdqa %ymm9,256*\off+ 0(%rdi)
-vmovdqa %ymm10,256*\off+ 32(%rdi)
-vmovdqa %ymm6,256*\off+ 64(%rdi)
-vmovdqa %ymm4,256*\off+ 96(%rdi)
-vmovdqa %ymm3,256*\off+128(%rdi)
-vmovdqa %ymm5,256*\off+160(%rdi)
-vmovdqa %ymm8,256*\off+192(%rdi)
-vmovdqa %ymm11,256*\off+224(%rdi)
-.endm
-
-.macro levels6t7 off
-vmovdqa 0+32*\off(%rdi),%ymm4
-vmovdqa 128+32*\off(%rdi),%ymm5
-vmovdqa 256+32*\off(%rdi),%ymm6
-vmovdqa 384+32*\off(%rdi),%ymm7
-vmovdqa 512+32*\off(%rdi),%ymm8
-vmovdqa 640+32*\off(%rdi),%ymm9
-vmovdqa 768+32*\off(%rdi),%ymm10
-vmovdqa 896+32*\off(%rdi),%ymm11
-
-/* level 6 */
-vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2
-butterfly 4,6
-butterfly 5,7
-
-vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2
-butterfly 8,10
-butterfly 9,11
-
-/* level 7 */
-vpbroadcastd (_ZETAS_QINV+0)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+0)*4(%rsi),%ymm2
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-vmovdqa %ymm8,512+32*\off(%rdi)
-vmovdqa %ymm9,640+32*\off(%rdi)
-vmovdqa %ymm10,768+32*\off(%rdi)
-vmovdqa %ymm11,896+32*\off(%rdi)
-
-vmovdqa (_8XDIV_QINV)*4(%rsi),%ymm1
-vmovdqa (_8XDIV)*4(%rsi),%ymm2
-vpmuldq %ymm1,%ymm4,%ymm12
-vpmuldq %ymm1,%ymm5,%ymm13
-vmovshdup %ymm4,%ymm8
-vmovshdup %ymm5,%ymm9
-vpmuldq %ymm1,%ymm8,%ymm14
-vpmuldq %ymm1,%ymm9,%ymm15
-vpmuldq %ymm2,%ymm4,%ymm4
-vpmuldq %ymm2,%ymm5,%ymm5
-vpmuldq %ymm2,%ymm8,%ymm8
-vpmuldq %ymm2,%ymm9,%ymm9
-vpmuldq %ymm0,%ymm12,%ymm12
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-vpmuldq %ymm0,%ymm15,%ymm15
-vpsubd %ymm12,%ymm4,%ymm4
-vpsubd %ymm13,%ymm5,%ymm5
-vpsubd %ymm14,%ymm8,%ymm8
-vpsubd %ymm15,%ymm9,%ymm9
-vmovshdup %ymm4,%ymm4
-vmovshdup %ymm5,%ymm5
-vpblendd $0xAA,%ymm8,%ymm4,%ymm4
-vpblendd $0xAA,%ymm9,%ymm5,%ymm5
-
-vpmuldq %ymm1,%ymm6,%ymm12
-vpmuldq %ymm1,%ymm7,%ymm13
-vmovshdup %ymm6,%ymm8
-vmovshdup %ymm7,%ymm9
-vpmuldq %ymm1,%ymm8,%ymm14
-vpmuldq %ymm1,%ymm9,%ymm15
-vpmuldq %ymm2,%ymm6,%ymm6
-vpmuldq %ymm2,%ymm7,%ymm7
-vpmuldq %ymm2,%ymm8,%ymm8
-vpmuldq %ymm2,%ymm9,%ymm9
-vpmuldq %ymm0,%ymm12,%ymm12
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-vpmuldq %ymm0,%ymm15,%ymm15
-vpsubd %ymm12,%ymm6,%ymm6
-vpsubd %ymm13,%ymm7,%ymm7
-vpsubd %ymm14,%ymm8,%ymm8
-vpsubd %ymm15,%ymm9,%ymm9
-vmovshdup %ymm6,%ymm6
-vmovshdup %ymm7,%ymm7
-vpblendd $0xAA,%ymm8,%ymm6,%ymm6
-vpblendd $0xAA,%ymm9,%ymm7,%ymm7
-
-vmovdqa %ymm4, 0+32*\off(%rdi)
-vmovdqa %ymm5,128+32*\off(%rdi)
-vmovdqa %ymm6,256+32*\off(%rdi)
-vmovdqa %ymm7,384+32*\off(%rdi)
-.endm
-
-.text
-.global cdecl(invntt_avx)
-cdecl(invntt_avx):
-vmovdqa _8XQ*4(%rsi),%ymm0
-
-levels0t5 0
-levels0t5 1
-levels0t5 2
-levels0t5 3
-
-levels6t7 0
-levels6t7 1
-levels6t7 2
-levels6t7 3
-
-ret
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2
-vpmuldq %ymm\zl0,%ymm\h,%ymm13
-vmovshdup %ymm\h,%ymm12
-vpmuldq %ymm\zl1,%ymm12,%ymm14
-
-vpmuldq %ymm\zh0,%ymm\h,%ymm\h
-vpmuldq %ymm\zh1,%ymm12,%ymm12
-
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-
-vmovshdup %ymm\h,%ymm\h
-vpblendd $0xAA,%ymm12,%ymm\h,%ymm\h
-
-vpsubd %ymm\h,%ymm\l,%ymm12
-vpaddd %ymm\h,%ymm\l,%ymm\l
-
-vmovshdup %ymm13,%ymm13
-vpblendd $0xAA,%ymm14,%ymm13,%ymm13
-
-vpaddd %ymm13,%ymm12,%ymm\h
-vpsubd %ymm13,%ymm\l,%ymm\l
-.endm
-
-.macro levels0t1 off
-/* level 0 */
-vpbroadcastd (_ZETAS_QINV+1)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+1)*4(%rsi),%ymm2
-
-vmovdqa 0+32*\off(%rdi),%ymm4
-vmovdqa 128+32*\off(%rdi),%ymm5
-vmovdqa 256+32*\off(%rdi),%ymm6
-vmovdqa 384+32*\off(%rdi),%ymm7
-vmovdqa 512+32*\off(%rdi),%ymm8
-vmovdqa 640+32*\off(%rdi),%ymm9
-vmovdqa 768+32*\off(%rdi),%ymm10
-vmovdqa 896+32*\off(%rdi),%ymm11
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-/* level 1 */
-vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2
-butterfly 4,6
-butterfly 5,7
-
-vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2
-butterfly 8,10
-butterfly 9,11
-
-vmovdqa %ymm4, 0+32*\off(%rdi)
-vmovdqa %ymm5,128+32*\off(%rdi)
-vmovdqa %ymm6,256+32*\off(%rdi)
-vmovdqa %ymm7,384+32*\off(%rdi)
-vmovdqa %ymm8,512+32*\off(%rdi)
-vmovdqa %ymm9,640+32*\off(%rdi)
-vmovdqa %ymm10,768+32*\off(%rdi)
-vmovdqa %ymm11,896+32*\off(%rdi)
-.endm
-
-.macro levels2t7 off
-/* level 2 */
-vmovdqa 256*\off+ 0(%rdi),%ymm4
-vmovdqa 256*\off+ 32(%rdi),%ymm5
-vmovdqa 256*\off+ 64(%rdi),%ymm6
-vmovdqa 256*\off+ 96(%rdi),%ymm7
-vmovdqa 256*\off+128(%rdi),%ymm8
-vmovdqa 256*\off+160(%rdi),%ymm9
-vmovdqa 256*\off+192(%rdi),%ymm10
-vmovdqa 256*\off+224(%rdi),%ymm11
-
-vpbroadcastd (_ZETAS_QINV+4+\off)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+4+\off)*4(%rsi),%ymm2
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-shuffle8 4,8,3,8
-shuffle8 5,9,4,9
-shuffle8 6,10,5,10
-shuffle8 7,11,6,11
-
-/* level 3 */
-vmovdqa (_ZETAS_QINV+8+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+8+8*\off)*4(%rsi),%ymm2
-
-butterfly 3,5
-butterfly 8,10
-butterfly 4,6
-butterfly 9,11
-
-shuffle4 3,5,7,5
-shuffle4 8,10,3,10
-shuffle4 4,6,8,6
-shuffle4 9,11,4,11
-
-/* level 4 */
-vmovdqa (_ZETAS_QINV+40+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+40+8*\off)*4(%rsi),%ymm2
-
-butterfly 7,8
-butterfly 5,6
-butterfly 3,4
-butterfly 10,11
-
-shuffle2 7,8,9,8
-shuffle2 5,6,7,6
-shuffle2 3,4,5,4
-shuffle2 10,11,3,11
-
-/* level 5 */
-vmovdqa (_ZETAS_QINV+72+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+72+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-
-butterfly 9,5,1,10,2,15
-butterfly 8,4,1,10,2,15
-butterfly 7,3,1,10,2,15
-butterfly 6,11,1,10,2,15
-
-/* level 6 */
-vmovdqa (_ZETAS_QINV+104+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+104+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 9,7,1,10,2,15
-butterfly 8,6,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+104+8*\off+32)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+104+8*\off+32)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 5,3,1,10,2,15
-butterfly 4,11,1,10,2,15
-
-/* level 7 */
-vmovdqa (_ZETAS_QINV+168+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 9,8,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+32)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+32)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 7,6,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+64)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+64)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 5,4,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+96)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+96)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 3,11,1,10,2,15
-
-vmovdqa %ymm9,256*\off+ 0(%rdi)
-vmovdqa %ymm8,256*\off+ 32(%rdi)
-vmovdqa %ymm7,256*\off+ 64(%rdi)
-vmovdqa %ymm6,256*\off+ 96(%rdi)
-vmovdqa %ymm5,256*\off+128(%rdi)
-vmovdqa %ymm4,256*\off+160(%rdi)
-vmovdqa %ymm3,256*\off+192(%rdi)
-vmovdqa %ymm11,256*\off+224(%rdi)
-.endm
-
-.text
-.global cdecl(ntt_avx)
-cdecl(ntt_avx):
-vmovdqa _8XQ*4(%rsi),%ymm0
-
-levels0t1 0
-levels0t1 1
-levels0t1 2
-levels0t1 3
-
-levels2t7 0
-levels2t7 1
-levels2t7 2
-levels2t7 3
-
-ret
-
+++ /dev/null
-#ifndef NTT_H
-#define NTT_H
-
-#include <immintrin.h>
-
-#define ntt_avx DILITHIUM_NAMESPACE(ntt_avx)
-void ntt_avx(__m256i *a, const __m256i *qdata);
-#define invntt_avx DILITHIUM_NAMESPACE(invntt_avx)
-void invntt_avx(__m256i *a, const __m256i *qdata);
-
-#define nttunpack_avx DILITHIUM_NAMESPACE(nttunpack_avx)
-void nttunpack_avx(__m256i *a);
-
-#define pointwise_avx DILITHIUM_NAMESPACE(pointwise_avx)
-void pointwise_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *qdata);
-#define pointwise_acc_avx DILITHIUM_NAMESPACE(pointwise_acc_avx)
-void pointwise_acc_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *qdata);
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- pk[i] = rho[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = pk[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = rho[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = key[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = tr[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s2->vec[i]);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt0_pack(sk + i*POLYT0_PACKEDBYTES, &t0->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- key[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- tr[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i=0; i < L; ++i)
- polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyeta_unpack(&s2->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyt0_unpack(&t0->vec[i], sk + i*POLYT0_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h)
-{
- unsigned int i, j, k;
-
- for(i=0; i < SEEDBYTES; ++i)
- sig[i] = c[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for(i = 0; i < OMEGA + K; ++i)
- sig[i] = 0;
-
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- if(h->vec[i].coeffs[j] != 0)
- sig[k++] = j;
-
- sig[OMEGA + i] = k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES])
-{
- unsigned int i, j, k;
-
- for(i = 0; i < SEEDBYTES; ++i)
- c[i] = sig[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- h->vec[i].coeffs[j] = 0;
-
- if(sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA)
- return 1;
-
- for(j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > k && sig[j] <= sig[j-1]) return 1;
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for(j = k; j < OMEGA; ++j)
- if(sig[j])
- return 1;
-
- return 0;
-}
+++ /dev/null
-#ifndef PACKING_H
-#define PACKING_H
-
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-#ifndef PARAMS_H
-#define PARAMS_H
-
-#include "config.h"
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-#if DILITHIUM_MODE == 2
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((Q-1)/88)
-#define OMEGA 80
-
-#elif DILITHIUM_MODE == 3
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 55
-
-#elif DILITHIUM_MODE == 5
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 75
-
-#endif
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#if ETA == 2
-#define POLYETA_PACKEDBYTES 96
-#elif ETA == 4
-#define POLYETA_PACKEDBYTES 128
-#endif
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "consts.h"
-
-.text
-.global cdecl(pointwise_avx)
-cdecl(pointwise_avx):
-#consts
-vmovdqa _8XQINV*4(%rcx),%ymm0
-vmovdqa _8XQ*4(%rcx),%ymm1
-
-xor %eax,%eax
-_looptop1:
-#load
-vmovdqa (%rsi),%ymm2
-vmovdqa 32(%rsi),%ymm4
-vmovdqa 64(%rsi),%ymm6
-vmovdqa (%rdx),%ymm10
-vmovdqa 32(%rdx),%ymm12
-vmovdqa 64(%rdx),%ymm14
-vpsrlq $32,%ymm2,%ymm3
-vpsrlq $32,%ymm4,%ymm5
-vmovshdup %ymm6,%ymm7
-vpsrlq $32,%ymm10,%ymm11
-vpsrlq $32,%ymm12,%ymm13
-vmovshdup %ymm14,%ymm15
-
-#mul
-vpmuldq %ymm2,%ymm10,%ymm2
-vpmuldq %ymm3,%ymm11,%ymm3
-vpmuldq %ymm4,%ymm12,%ymm4
-vpmuldq %ymm5,%ymm13,%ymm5
-vpmuldq %ymm6,%ymm14,%ymm6
-vpmuldq %ymm7,%ymm15,%ymm7
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm10
-vpmuldq %ymm0,%ymm3,%ymm11
-vpmuldq %ymm0,%ymm4,%ymm12
-vpmuldq %ymm0,%ymm5,%ymm13
-vpmuldq %ymm0,%ymm6,%ymm14
-vpmuldq %ymm0,%ymm7,%ymm15
-vpmuldq %ymm1,%ymm10,%ymm10
-vpmuldq %ymm1,%ymm11,%ymm11
-vpmuldq %ymm1,%ymm12,%ymm12
-vpmuldq %ymm1,%ymm13,%ymm13
-vpmuldq %ymm1,%ymm14,%ymm14
-vpmuldq %ymm1,%ymm15,%ymm15
-vpsubq %ymm10,%ymm2,%ymm2
-vpsubq %ymm11,%ymm3,%ymm3
-vpsubq %ymm12,%ymm4,%ymm4
-vpsubq %ymm13,%ymm5,%ymm5
-vpsubq %ymm14,%ymm6,%ymm6
-vpsubq %ymm15,%ymm7,%ymm7
-vpsrlq $32,%ymm2,%ymm2
-vpsrlq $32,%ymm4,%ymm4
-vmovshdup %ymm6,%ymm6
-
-#store
-vpblendd $0xAA,%ymm3,%ymm2,%ymm2
-vpblendd $0xAA,%ymm5,%ymm4,%ymm4
-vpblendd $0xAA,%ymm7,%ymm6,%ymm6
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-vmovdqa %ymm6,64(%rdi)
-
-add $96,%rdi
-add $96,%rsi
-add $96,%rdx
-add $1,%eax
-cmp $10,%eax
-jb _looptop1
-
-vmovdqa (%rsi),%ymm2
-vmovdqa 32(%rsi),%ymm4
-vmovdqa (%rdx),%ymm10
-vmovdqa 32(%rdx),%ymm12
-vpsrlq $32,%ymm2,%ymm3
-vpsrlq $32,%ymm4,%ymm5
-vmovshdup %ymm10,%ymm11
-vmovshdup %ymm12,%ymm13
-
-#mul
-vpmuldq %ymm2,%ymm10,%ymm2
-vpmuldq %ymm3,%ymm11,%ymm3
-vpmuldq %ymm4,%ymm12,%ymm4
-vpmuldq %ymm5,%ymm13,%ymm5
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm10
-vpmuldq %ymm0,%ymm3,%ymm11
-vpmuldq %ymm0,%ymm4,%ymm12
-vpmuldq %ymm0,%ymm5,%ymm13
-vpmuldq %ymm1,%ymm10,%ymm10
-vpmuldq %ymm1,%ymm11,%ymm11
-vpmuldq %ymm1,%ymm12,%ymm12
-vpmuldq %ymm1,%ymm13,%ymm13
-vpsubq %ymm10,%ymm2,%ymm2
-vpsubq %ymm11,%ymm3,%ymm3
-vpsubq %ymm12,%ymm4,%ymm4
-vpsubq %ymm13,%ymm5,%ymm5
-vpsrlq $32,%ymm2,%ymm2
-vmovshdup %ymm4,%ymm4
-
-#store
-vpblendd $0x55,%ymm2,%ymm3,%ymm2
-vpblendd $0x55,%ymm4,%ymm5,%ymm4
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-
-ret
-
-.macro pointwise off
-#load
-vmovdqa \off(%rsi),%ymm6
-vmovdqa \off+32(%rsi),%ymm8
-vmovdqa \off(%rdx),%ymm10
-vmovdqa \off+32(%rdx),%ymm12
-vpsrlq $32,%ymm6,%ymm7
-vpsrlq $32,%ymm8,%ymm9
-vmovshdup %ymm10,%ymm11
-vmovshdup %ymm12,%ymm13
-
-#mul
-vpmuldq %ymm6,%ymm10,%ymm6
-vpmuldq %ymm7,%ymm11,%ymm7
-vpmuldq %ymm8,%ymm12,%ymm8
-vpmuldq %ymm9,%ymm13,%ymm9
-.endm
-
-.macro acc
-vpaddq %ymm6,%ymm2,%ymm2
-vpaddq %ymm7,%ymm3,%ymm3
-vpaddq %ymm8,%ymm4,%ymm4
-vpaddq %ymm9,%ymm5,%ymm5
-.endm
-
-.global cdecl(pointwise_acc_avx)
-cdecl(pointwise_acc_avx):
-#consts
-vmovdqa _8XQINV*4(%rcx),%ymm0
-vmovdqa _8XQ*4(%rcx),%ymm1
-
-xor %eax,%eax
-_looptop2:
-pointwise 0
-
-#mov
-vmovdqa %ymm6,%ymm2
-vmovdqa %ymm7,%ymm3
-vmovdqa %ymm8,%ymm4
-vmovdqa %ymm9,%ymm5
-
-pointwise 1024
-acc
-
-#if L >= 3
-pointwise 2048
-acc
-#endif
-
-#if L >= 4
-pointwise 3072
-acc
-#endif
-
-#if L >= 5
-pointwise 4096
-acc
-#endif
-
-#if L >= 6
-pointwise 5120
-acc
-#endif
-
-#if L >= 7
-pointwise 6144
-acc
-#endif
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm6
-vpmuldq %ymm0,%ymm3,%ymm7
-vpmuldq %ymm0,%ymm4,%ymm8
-vpmuldq %ymm0,%ymm5,%ymm9
-vpmuldq %ymm1,%ymm6,%ymm6
-vpmuldq %ymm1,%ymm7,%ymm7
-vpmuldq %ymm1,%ymm8,%ymm8
-vpmuldq %ymm1,%ymm9,%ymm9
-vpsubq %ymm6,%ymm2,%ymm2
-vpsubq %ymm7,%ymm3,%ymm3
-vpsubq %ymm8,%ymm4,%ymm4
-vpsubq %ymm9,%ymm5,%ymm5
-vpsrlq $32,%ymm2,%ymm2
-vmovshdup %ymm4,%ymm4
-
-#store
-vpblendd $0xAA,%ymm3,%ymm2,%ymm2
-vpblendd $0xAA,%ymm5,%ymm4,%ymm4
-
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-
-add $64,%rsi
-add $64,%rdx
-add $64,%rdi
-add $1,%eax
-cmp $16,%eax
-jb _looptop2
-
-ret
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include <string.h>
-#include "align.h"
-#include "params.h"
-#include "poly.h"
-#include "ntt.h"
-#include "rounding.h"
-#include "rejsample.h"
-#include "consts.h"
-#include "symmetric.h"
-#ifndef DILITHIUM_USE_AES
-#include "fips202x4.h"
-#endif
-
-#ifdef DBENCH
-#include "test/cpucycles.h"
-extern const uint64_t timing_overhead;
-extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
-#define DBENCH_START() uint64_t time = cpucycles()
-#define DBENCH_STOP(t) t += cpucycles() - time - timing_overhead
-#else
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-#endif
-
-#define _mm256_blendv_epi32(a,b,mask) \
- _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \
- _mm256_castsi256_ps(b), \
- _mm256_castsi256_ps(mask)))
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007]. Assumes input
-* coefficients to be at most 2^31 - 2^22 - 1 in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_reduce(poly *a) {
- unsigned int i;
- __m256i f,g;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i off = _mm256_set1_epi32(1<<22);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_add_epi32(f,off);
- g = _mm256_srai_epi32(g,23);
- g = _mm256_mullo_epi32(g,q);
- f = _mm256_sub_epi32(f,g);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_addq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_caddq(poly *a) {
- unsigned int i;
- __m256i f,g;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i zero = _mm256_setzero_si256();
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_blendv_epi32(zero,q,f);
- f = _mm256_add_epi32(f,g);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- __m256i f,g;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_load_si256(&b->vec[i]);
- f = _mm256_add_epi32(f,g);
- _mm256_store_si256(&c->vec[i],f);
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- __m256i f,g;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_load_si256(&b->vec[i]);
- f = _mm256_sub_epi32(f,g);
- _mm256_store_si256(&c->vec[i],f);
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- __m256i f;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- f = _mm256_slli_epi32(f,D);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by up to
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt_avx(a->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_avx(a->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-void poly_nttunpack(poly *a) {
- DBENCH_START();
-
- nttunpack_avx(a->vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- DBENCH_START();
-
- pointwise_avx(c->vec, a->vec, b->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod^+ Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* positive standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_power2round(poly *a1, poly *a0, const poly *a)
-{
- DBENCH_START();
-
- power2round_avx(a1->vec, a0->vec, a->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod^+ Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except if c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be positive standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a)
-{
- DBENCH_START();
-
- decompose_avx(a1->vec, a0->vec, a->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint array. The coefficients of which are the
-* indices of the coefficients of the input polynomial
-* whose low bits overflow into the high bits.
-*
-* Arguments: - uint8_t *h: pointer to output hint array (preallocated of length N)
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of hints, i.e. length of hint array.
-**************************************************/
-unsigned int poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1)
-{
- unsigned int r;
- DBENCH_START();
-
- r = make_hint_avx(hint, a0->vec, a1->vec);
-
- DBENCH_STOP(*tround);
- return r;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h)
-{
- DBENCH_START();
-
- use_hint_avx(b->vec, a->vec, h->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input polynomial to be reduced by poly_reduce().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int r;
- __m256i f,t;
- const __m256i bound = _mm256_set1_epi32(B-1);
- DBENCH_START();
-
- if(B > (Q-1)/8)
- return 1;
-
- t = _mm256_setzero_si256();
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- f = _mm256_abs_epi32(f);
- f = _mm256_cmpgt_epi32(f,bound);
- t = _mm256_or_si256(t,f);
- }
-
- r = 1 - _mm256_testz_si256(t,t);
- DBENCH_STOP(*tsample);
- return r;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- a[ctr++] = t;
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-void poly_uniform_preinit(poly *a, stream128_state *state)
-{
- unsigned int ctr;
- /* rej_uniform_avx reads up to 8 additional bytes */
- ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf;
-
- stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_NBLOCKS, state);
- ctr = rej_uniform_avx(a->coeffs, buf.coeffs);
-
- while(ctr < N) {
- /* length of buf is always divisible by 3; hence, no bytes left */
- stream128_squeezeblocks(buf.coeffs, 1, state);
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
- }
-}
-
-void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- stream128_state state;
- stream128_init(&state, seed, nonce);
- poly_uniform_preinit(a, &state);
- stream128_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[32],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- unsigned int ctr0, ctr1, ctr2, ctr3;
- ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
- shake128x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)seed);
- _mm256_store_si256(buf[0].vec,f);
- _mm256_store_si256(buf[1].vec,f);
- _mm256_store_si256(buf[2].vec,f);
- _mm256_store_si256(buf[3].vec,f);
-
- buf[0].coeffs[SEEDBYTES+0] = nonce0;
- buf[0].coeffs[SEEDBYTES+1] = nonce0 >> 8;
- buf[1].coeffs[SEEDBYTES+0] = nonce1;
- buf[1].coeffs[SEEDBYTES+1] = nonce1 >> 8;
- buf[2].coeffs[SEEDBYTES+0] = nonce2;
- buf[2].coeffs[SEEDBYTES+1] = nonce2 >> 8;
- buf[3].coeffs[SEEDBYTES+0] = nonce3;
- buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
-
- shake128x4_inc_init(&state);
- shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
- shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
-
- ctr0 = rej_uniform_avx(a0->coeffs, buf[0].coeffs);
- ctr1 = rej_uniform_avx(a1->coeffs, buf[1].coeffs);
- ctr2 = rej_uniform_avx(a2->coeffs, buf[2].coeffs);
- ctr3 = rej_uniform_avx(a3->coeffs, buf[3].coeffs);
-
- while(ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
- shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
-
- ctr0 += rej_uniform(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE);
- ctr1 += rej_uniform(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE);
- ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
- ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
- }
- shake128x4_inc_ctx_release(&state);
-}
-#endif
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-#if ETA == 2
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- a[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < len) {
- t1 = t1 - (205*t1 >> 10)*5;
- a[ctr++] = 2 - t1;
- }
-#elif ETA == 4
- if(t0 < 9)
- a[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < len)
- a[ctr++] = 4 - t1;
-#endif
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling using the
-* output stream of SHAKE256(seed|nonce)
-* or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-void poly_uniform_eta_preinit(poly *a, stream256_state *state)
-{
- unsigned int ctr;
- ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
-
- stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
- ctr = rej_eta_avx(a->coeffs, buf.coeffs);
-
- while(ctr < N) {
- stream256_squeezeblocks(buf.coeffs, 1, state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
- }
-}
-
-void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_eta_preinit(a, &state);
- stream256_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_eta_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[64],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- unsigned int ctr0, ctr1, ctr2, ctr3;
- ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
-
- __m256i f;
- shake256x4incctx state;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
- _mm256_store_si256(&buf[0].vec[0],f);
- _mm256_store_si256(&buf[1].vec[0],f);
- _mm256_store_si256(&buf[2].vec[0],f);
- _mm256_store_si256(&buf[3].vec[0],f);
- f = _mm256_loadu_si256((__m256i *)&seed[32]);
- _mm256_store_si256(&buf[0].vec[1],f);
- _mm256_store_si256(&buf[1].vec[1],f);
- _mm256_store_si256(&buf[2].vec[1],f);
- _mm256_store_si256(&buf[3].vec[1],f);
-
- buf[0].coeffs[64] = nonce0;
- buf[0].coeffs[65] = nonce0 >> 8;
- buf[1].coeffs[64] = nonce1;
- buf[1].coeffs[65] = nonce1 >> 8;
- buf[2].coeffs[64] = nonce2;
- buf[2].coeffs[65] = nonce2 >> 8;
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
- shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr0 = rej_eta_avx(a0->coeffs, buf[0].coeffs);
- ctr1 = rej_eta_avx(a1->coeffs, buf[1].coeffs);
- ctr2 = rej_eta_avx(a2->coeffs, buf[2].coeffs);
- ctr3 = rej_eta_avx(a3->coeffs, buf[3].coeffs);
-
- while(ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
-
- ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE);
- ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE);
- ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
- ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
- }
- shake256x4_inc_ctx_release(&state);
-}
-#endif
-
-/*************************************************
-* Name: poly_uniform_gamma1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1_preinit(poly *a, stream256_state *state)
-{
- /* polyz_unpack reads 14 additional bytes */
- ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf;
- stream256_squeezeblocks(buf.coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, state);
- polyz_unpack(a, buf.coeffs);
-}
-
-void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_gamma1_preinit(a, &state);
- stream256_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_gamma1_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[64],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
- shake256x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
- _mm256_store_si256(&buf[0].vec[0],f);
- _mm256_store_si256(&buf[1].vec[0],f);
- _mm256_store_si256(&buf[2].vec[0],f);
- _mm256_store_si256(&buf[3].vec[0],f);
- f = _mm256_loadu_si256((__m256i *)&seed[32]);
- _mm256_store_si256(&buf[0].vec[1],f);
- _mm256_store_si256(&buf[1].vec[1],f);
- _mm256_store_si256(&buf[2].vec[1],f);
- _mm256_store_si256(&buf[3].vec[1],f);
-
- buf[0].coeffs[64] = nonce0;
- buf[0].coeffs[65] = nonce0 >> 8;
- buf[1].coeffs[64] = nonce1;
- buf[1].coeffs[65] = nonce1 >> 8;
- buf[2].coeffs[64] = nonce2;
- buf[2].coeffs[65] = nonce2 >> 8;
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
- shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- shake256x4_inc_ctx_release(&state);
-
- polyz_unpack(a0, buf[0].coeffs);
- polyz_unpack(a1, buf[1].coeffs);
- polyz_unpack(a2, buf[2].coeffs);
- polyz_unpack(a3, buf[3].coeffs);
-}
-#endif
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- ALIGNED_UINT8(SHAKE256_RATE) buf;
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
-
- memcpy(&signs, buf.coeffs, 8);
- pos = 8;
-
- memset(c->vec, 0, sizeof(poly));
- for(i = N-TAU; i < N; ++i) {
- do {
- if(pos >= SHAKE256_RATE) {
- shake256_squeezeblocks(buf.coeffs, 1, &state);
- pos = 0;
- }
-
- b = buf.coeffs[pos++];
- } while(b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- t[0] = ETA - a->coeffs[8*i+0];
- t[1] = ETA - a->coeffs[8*i+1];
- t[2] = ETA - a->coeffs[8*i+2];
- t[3] = ETA - a->coeffs[8*i+3];
- t[4] = ETA - a->coeffs[8*i+4];
- t[5] = ETA - a->coeffs[8*i+5];
- t[6] = ETA - a->coeffs[8*i+6];
- t[7] = ETA - a->coeffs[8*i+7];
-
- r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- t[0] = ETA - a->coeffs[2*i+0];
- t[1] = ETA - a->coeffs[2*i+1];
- r[i] = t[0] | (t[1] << 4);
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly * restrict r, const uint8_t a[POLYETA_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7;
- r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7;
- r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7;
- r->coeffs[8*i+3] = (a[3*i+1] >> 1) & 7;
- r->coeffs[8*i+4] = (a[3*i+1] >> 4) & 7;
- r->coeffs[8*i+5] = ((a[3*i+1] >> 7) | (a[3*i+2] << 1)) & 7;
- r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7;
- r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7;
-
- r->coeffs[8*i+0] = ETA - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = ETA - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = ETA - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = ETA - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = ETA - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = ETA - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = ETA - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = ETA - r->coeffs[8*i+7];
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[i] & 0x0F;
- r->coeffs[2*i+1] = a[i] >> 4;
- r->coeffs[2*i+0] = ETA - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = ETA - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be positive standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r[5*i+0] = (a->coeffs[4*i+0] >> 0);
- r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2);
- r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4);
- r[5*i+3] = (a->coeffs[4*i+2] >> 4) | (a->coeffs[4*i+3] << 6);
- r[5*i+4] = (a->coeffs[4*i+3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are positive standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt1_unpack(poly * restrict r, const uint8_t a[POLYT1_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF;
- r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF;
- r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF;
- r->coeffs[4*i+3] = ((a[5*i+3] >> 6) | ((uint32_t)a[5*i+4] << 2)) & 0x3FF;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- t[0] = (1 << (D-1)) - a->coeffs[8*i+0];
- t[1] = (1 << (D-1)) - a->coeffs[8*i+1];
- t[2] = (1 << (D-1)) - a->coeffs[8*i+2];
- t[3] = (1 << (D-1)) - a->coeffs[8*i+3];
- t[4] = (1 << (D-1)) - a->coeffs[8*i+4];
- t[5] = (1 << (D-1)) - a->coeffs[8*i+5];
- t[6] = (1 << (D-1)) - a->coeffs[8*i+6];
- t[7] = (1 << (D-1)) - a->coeffs[8*i+7];
-
- r[13*i+ 0] = t[0];
- r[13*i+ 1] = t[0] >> 8;
- r[13*i+ 1] |= t[1] << 5;
- r[13*i+ 2] = t[1] >> 3;
- r[13*i+ 3] = t[1] >> 11;
- r[13*i+ 3] |= t[2] << 2;
- r[13*i+ 4] = t[2] >> 6;
- r[13*i+ 4] |= t[3] << 7;
- r[13*i+ 5] = t[3] >> 1;
- r[13*i+ 6] = t[3] >> 9;
- r[13*i+ 6] |= t[4] << 4;
- r[13*i+ 7] = t[4] >> 4;
- r[13*i+ 8] = t[4] >> 12;
- r[13*i+ 8] |= t[5] << 1;
- r[13*i+ 9] = t[5] >> 7;
- r[13*i+ 9] |= t[6] << 6;
- r[13*i+10] = t[6] >> 2;
- r[13*i+11] = t[6] >> 10;
- r[13*i+11] |= t[7] << 3;
- r[13*i+12] = t[7] >> 5;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly * restrict r, const uint8_t a[POLYT0_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = a[13*i+0];
- r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8;
- r->coeffs[8*i+0] &= 0x1FFF;
-
- r->coeffs[8*i+1] = a[13*i+1] >> 5;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+2] << 3;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+3] << 11;
- r->coeffs[8*i+1] &= 0x1FFF;
-
- r->coeffs[8*i+2] = a[13*i+3] >> 2;
- r->coeffs[8*i+2] |= (uint32_t)a[13*i+4] << 6;
- r->coeffs[8*i+2] &= 0x1FFF;
-
- r->coeffs[8*i+3] = a[13*i+4] >> 7;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+5] << 1;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+6] << 9;
- r->coeffs[8*i+3] &= 0x1FFF;
-
- r->coeffs[8*i+4] = a[13*i+6] >> 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+7] << 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+8] << 12;
- r->coeffs[8*i+4] &= 0x1FFF;
-
- r->coeffs[8*i+5] = a[13*i+8] >> 1;
- r->coeffs[8*i+5] |= (uint32_t)a[13*i+9] << 7;
- r->coeffs[8*i+5] &= 0x1FFF;
-
- r->coeffs[8*i+6] = a[13*i+9] >> 6;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+10] << 2;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+11] << 10;
- r->coeffs[8*i+6] &= 0x1FFF;
-
- r->coeffs[8*i+7] = a[13*i+11] >> 3;
- r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5;
- r->coeffs[8*i+7] &= 0x1FFF;
-
- r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4*i+0];
- t[1] = GAMMA1 - a->coeffs[4*i+1];
- t[2] = GAMMA1 - a->coeffs[4*i+2];
- t[3] = GAMMA1 - a->coeffs[4*i+3];
-
- r[9*i+0] = t[0];
- r[9*i+1] = t[0] >> 8;
- r[9*i+2] = t[0] >> 16;
- r[9*i+2] |= t[1] << 2;
- r[9*i+3] = t[1] >> 6;
- r[9*i+4] = t[1] >> 14;
- r[9*i+4] |= t[2] << 4;
- r[9*i+5] = t[2] >> 4;
- r[9*i+6] = t[2] >> 12;
- r[9*i+6] |= t[3] << 6;
- r[9*i+7] = t[3] >> 2;
- r[9*i+8] = t[3] >> 10;
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2*i+0];
- t[1] = GAMMA1 - a->coeffs[2*i+1];
-
- r[5*i+0] = t[0];
- r[5*i+1] = t[0] >> 8;
- r[5*i+2] = t[0] >> 16;
- r[5*i+2] |= t[1] << 4;
- r[5*i+3] = t[1] >> 4;
- r[5*i+4] = t[1] >> 12;
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-#if GAMMA1 == (1 << 17)
-void polyz_unpack(poly * restrict r, const uint8_t *a) {
- unsigned int i;
- __m256i f;
- const __m256i shufbidx = _mm256_set_epi8(-1, 9, 8, 7,-1, 7, 6, 5,-1, 5, 4, 3,-1, 3, 2, 1,
- -1, 8, 7, 6,-1, 6, 5, 4,-1, 4, 3, 2,-1, 2, 1, 0);
- const __m256i srlvdidx = _mm256_set_epi32(6,4,2,0,6,4,2,0);
- const __m256i mask = _mm256_set1_epi32(0x3FFFF);
- const __m256i gamma1 = _mm256_set1_epi32(GAMMA1);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_loadu_si256((__m256i *)&a[18*i]);
- f = _mm256_permute4x64_epi64(f,0x94);
- f = _mm256_shuffle_epi8(f,shufbidx);
- f = _mm256_srlv_epi32(f,srlvdidx);
- f = _mm256_and_si256(f,mask);
- f = _mm256_sub_epi32(gamma1,f);
- _mm256_store_si256(&r->vec[i],f);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-#elif GAMMA1 == (1 << 19)
-void polyz_unpack(poly * restrict r, const uint8_t *a) {
- unsigned int i;
- __m256i f;
- const __m256i shufbidx = _mm256_set_epi8(-1,11,10, 9,-1, 9, 8, 7,-1, 6, 5, 4,-1, 4, 3, 2,
- -1, 9, 8, 7,-1, 7, 6, 5,-1, 4, 3, 2,-1, 2, 1, 0);
- const __m256i srlvdidx = _mm256_set1_epi64x((uint64_t)4 << 32);
- const __m256i mask = _mm256_set1_epi32(0xFFFFF);
- const __m256i gamma1 = _mm256_set1_epi32(GAMMA1);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_loadu_si256((__m256i *)&a[20*i]);
- f = _mm256_permute4x64_epi64(f,0x94);
- f = _mm256_shuffle_epi8(f,shufbidx);
- f = _mm256_srlv_epi32(f,srlvdidx);
- f = _mm256_and_si256(f,mask);
- f = _mm256_sub_epi32(gamma1,f);
- _mm256_store_si256(&r->vec[i],f);
- }
-
- DBENCH_STOP(*tpack);
-}
-#endif
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be positive standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-#if GAMMA2 == (Q-1)/88
-void polyw1_pack(uint8_t *r, const poly * restrict a) {
- unsigned int i;
- __m256i f0,f1,f2,f3;
- const __m256i shift1 = _mm256_set1_epi16((64 << 8) + 1);
- const __m256i shift2 = _mm256_set1_epi32((4096 << 16) + 1);
- const __m256i shufdidx1 = _mm256_set_epi32(7,3,6,2,5,1,4,0);
- const __m256i shufdidx2 = _mm256_set_epi32(-1,-1,6,5,4,2,1,0);
- const __m256i shufbidx = _mm256_set_epi8(-1,-1,-1,-1,14,13,12,10, 9, 8, 6, 5, 4, 2, 1, 0,
- -1,-1,-1,-1,14,13,12,10, 9, 8, 6, 5, 4, 2, 1, 0);
- DBENCH_START();
-
- for(i = 0; i < N/32; i++) {
- f0 = _mm256_load_si256(&a->vec[4*i+0]);
- f1 = _mm256_load_si256(&a->vec[4*i+1]);
- f2 = _mm256_load_si256(&a->vec[4*i+2]);
- f3 = _mm256_load_si256(&a->vec[4*i+3]);
- f0 = _mm256_packus_epi32(f0,f1);
- f1 = _mm256_packus_epi32(f2,f3);
- f0 = _mm256_packus_epi16(f0,f1);
- f0 = _mm256_maddubs_epi16(f0,shift1);
- f0 = _mm256_madd_epi16(f0,shift2);
- f0 = _mm256_permutevar8x32_epi32(f0,shufdidx1);
- f0 = _mm256_shuffle_epi8(f0,shufbidx);
- f0 = _mm256_permutevar8x32_epi32(f0,shufdidx2);
- _mm256_storeu_si256((__m256i *)&r[24*i],f0);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-#elif GAMMA2 == (Q-1)/32
-void polyw1_pack(uint8_t *r, const poly * restrict a) {
- unsigned int i;
- __m256i f0, f1, f2, f3, f4, f5, f6, f7;
- const __m256i shift = _mm256_set1_epi16((16 << 8) + 1);
- const __m256i shufbidx = _mm256_set_epi8(15,14, 7, 6,13,12, 5, 4,11,10, 3, 2, 9, 8, 1, 0,
- 15,14, 7, 6,13,12, 5, 4,11,10, 3, 2, 9, 8, 1, 0);
- DBENCH_START();
-
- for(i = 0; i < N/64; ++i) {
- f0 = _mm256_load_si256(&a->vec[8*i+0]);
- f1 = _mm256_load_si256(&a->vec[8*i+1]);
- f2 = _mm256_load_si256(&a->vec[8*i+2]);
- f3 = _mm256_load_si256(&a->vec[8*i+3]);
- f4 = _mm256_load_si256(&a->vec[8*i+4]);
- f5 = _mm256_load_si256(&a->vec[8*i+5]);
- f6 = _mm256_load_si256(&a->vec[8*i+6]);
- f7 = _mm256_load_si256(&a->vec[8*i+7]);
- f0 = _mm256_packus_epi32(f0,f1);
- f1 = _mm256_packus_epi32(f2,f3);
- f2 = _mm256_packus_epi32(f4,f5);
- f3 = _mm256_packus_epi32(f6,f7);
- f0 = _mm256_packus_epi16(f0,f1);
- f1 = _mm256_packus_epi16(f2,f3);
- f0 = _mm256_maddubs_epi16(f0,shift);
- f1 = _mm256_maddubs_epi16(f1,shift);
- f0 = _mm256_packus_epi16(f0,f1);
- f0 = _mm256_permute4x64_epi64(f0,0xD8);
- f0 = _mm256_shuffle_epi8(f0,shufbidx);
- _mm256_storeu_si256((__m256i *)&r[32*i], f0);
- }
-
- DBENCH_STOP(*tpack);
-}
-#endif
+++ /dev/null
-#ifndef POLY_H
-#define POLY_H
-
-#include <stdint.h>
-#include "align.h"
-#include "params.h"
-#include "symmetric.h"
-
-typedef ALIGNED_INT32(N) poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_nttunpack DILITHIUM_NAMESPACE(poly_nttunpack)
-void poly_nttunpack(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform_preinit DILITHIUM_NAMESPACE(poly_uniform_preinit)
-void poly_uniform_preinit(poly *a, stream128_state *state);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-#define poly_uniform_eta_preinit DILITHIUM_NAMESPACE(poly_uniform_eta_preinit)
-void poly_uniform_eta_preinit(poly *a, stream256_state *state);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
-#define poly_uniform_gamma1_preinit DILITHIUM_NAMESPACE(poly_uniform_gamma1_preinit)
-void poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#ifndef DILITHIUM_USE_AES
-#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
-void poly_uniform_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#define poly_uniform_eta_4x DILITHIUM_NAMESPACE(poly_uniform_eta_4x)
-void poly_uniform_eta_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#define poly_uniform_gamma1_4x DILITHIUM_NAMESPACE(poly_uniform_gamma1_4x)
-void poly_uniform_gamma1_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#endif
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t a[POLYETA_PACKEDBYTES]);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t a[POLYT1_PACKEDBYTES]);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t a[POLYT0_PACKEDBYTES]);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "ntt.h"
-#include "consts.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-#ifdef DILITHIUM_USE_AES
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
- uint64_t nonce;
- aes256ctr_ctx state;
-
- aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
- aes256_ctx_release(&state);
-}
-
-#elif K == 4 && L == 4
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvec_matrix_expand_row0(&mat[0], NULL, rho);
- polyvec_matrix_expand_row1(&mat[1], NULL, rho);
- polyvec_matrix_expand_row2(&mat[2], NULL, rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 256, 257, 258, 259);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 512, 513, 514, 515);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 768, 769, 770, 771);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-#elif K == 6 && L == 5
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvecl tmp;
- polyvec_matrix_expand_row0(&mat[0], &mat[1], rho);
- polyvec_matrix_expand_row1(&mat[1], &mat[2], rho);
- polyvec_matrix_expand_row2(&mat[2], &mat[3], rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
- polyvec_matrix_expand_row4(&mat[4], &mat[5], rho);
- polyvec_matrix_expand_row5(&mat[5], &tmp, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_uniform_4x(&rowa->vec[4], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 4, 256, 257, 258);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowb->vec[0], &rowb->vec[1], rho, 259, 260, 512, 513);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowb->vec[0], rho, 514, 515, 516, 768);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 769, 770, 771, 772);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
-}
-
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 1024, 1025, 1026, 1027);
- poly_uniform_4x(&rowa->vec[4], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 1028, 1280, 1281, 1282);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowb->vec[0], &rowb->vec[1], rho, 1283, 1284, 1536, 1537);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
-}
-
-#elif K == 8 && L == 7
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvec_matrix_expand_row0(&mat[0], &mat[1], rho);
- polyvec_matrix_expand_row1(&mat[1], &mat[2], rho);
- polyvec_matrix_expand_row2(&mat[2], &mat[3], rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
- polyvec_matrix_expand_row4(&mat[4], &mat[5], rho);
- polyvec_matrix_expand_row5(&mat[5], &mat[6], rho);
- polyvec_matrix_expand_row6(&mat[6], &mat[7], rho);
- polyvec_matrix_expand_row7(&mat[7], NULL, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_uniform_4x(&rowa->vec[4], &rowa->vec[5], &rowa->vec[6], &rowb->vec[0], rho, 4, 5, 6, 256);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 257, 258, 259, 260);
- poly_uniform_4x(&rowa->vec[5], &rowa->vec[6], &rowb->vec[0], &rowb->vec[1], rho, 261, 262, 512, 513);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowa->vec[5], rho, 514, 515, 516, 517);
- poly_uniform_4x(&rowa->vec[6], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 518, 768, 769, 770);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowa->vec[5], &rowa->vec[6], rho, 771, 772, 773, 774);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
-}
-
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 1024, 1025, 1026, 1027);
- poly_uniform_4x(&rowa->vec[4], &rowa->vec[5], &rowa->vec[6], &rowb->vec[0], rho, 1028, 1029, 1030, 1280);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 1281, 1282, 1283, 1284);
- poly_uniform_4x(&rowa->vec[5], &rowa->vec[6], &rowb->vec[0], &rowb->vec[1], rho, 1285, 1286, 1536, 1537);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowa->vec[5], rho, 1538, 1539, 1540, 1541);
- poly_uniform_4x(&rowa->vec[6], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 1542, 1792, 1793, 1794);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row7(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowa->vec[5], &rowa->vec[6], rho, 1795, 1796, 1797, 1798);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
-}
-
-#else
-#error
-#endif
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-void polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u, const polyvecl *v) {
- pointwise_acc_avx(w->vec, u->vec->vec, v->vec->vec, qdata.vec);
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_caddq(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_shiftl(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - uint8_t *hint: pointer to output hint array
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1)
-{
- unsigned int i, n = 0;
-
- for(i = 0; i < K; ++i)
- n += poly_make_hint(&hint[n], &v0->vec[i], &v1->vec[i]);
-
- return n;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
-}
-
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyw1_pack(&r[i*POLYW1_PACKEDBYTES], &w1->vec[i]);
-}
+++ /dev/null
-#ifndef POLYVEC_H
-#define POLYVEC_H
-
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery \
- DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#ifndef DILITHIUM_USE_AES
-#define polyvec_matrix_expand_row0 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row0)
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row1 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row1)
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row2 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row2)
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row3 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row3)
-void polyvec_matrix_expand_row3(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row4 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row4)
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row5 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row5)
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row6 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row6)
-void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row7 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row7)
-void polyvec_matrix_expand_row7(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#endif
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include "params.h"
-#include "rejsample.h"
-#include "symmetric.h"
-
-const uint8_t idxlut[256][8] = {
- { 0, 0, 0, 0, 0, 0, 0, 0},
- { 0, 0, 0, 0, 0, 0, 0, 0},
- { 1, 0, 0, 0, 0, 0, 0, 0},
- { 0, 1, 0, 0, 0, 0, 0, 0},
- { 2, 0, 0, 0, 0, 0, 0, 0},
- { 0, 2, 0, 0, 0, 0, 0, 0},
- { 1, 2, 0, 0, 0, 0, 0, 0},
- { 0, 1, 2, 0, 0, 0, 0, 0},
- { 3, 0, 0, 0, 0, 0, 0, 0},
- { 0, 3, 0, 0, 0, 0, 0, 0},
- { 1, 3, 0, 0, 0, 0, 0, 0},
- { 0, 1, 3, 0, 0, 0, 0, 0},
- { 2, 3, 0, 0, 0, 0, 0, 0},
- { 0, 2, 3, 0, 0, 0, 0, 0},
- { 1, 2, 3, 0, 0, 0, 0, 0},
- { 0, 1, 2, 3, 0, 0, 0, 0},
- { 4, 0, 0, 0, 0, 0, 0, 0},
- { 0, 4, 0, 0, 0, 0, 0, 0},
- { 1, 4, 0, 0, 0, 0, 0, 0},
- { 0, 1, 4, 0, 0, 0, 0, 0},
- { 2, 4, 0, 0, 0, 0, 0, 0},
- { 0, 2, 4, 0, 0, 0, 0, 0},
- { 1, 2, 4, 0, 0, 0, 0, 0},
- { 0, 1, 2, 4, 0, 0, 0, 0},
- { 3, 4, 0, 0, 0, 0, 0, 0},
- { 0, 3, 4, 0, 0, 0, 0, 0},
- { 1, 3, 4, 0, 0, 0, 0, 0},
- { 0, 1, 3, 4, 0, 0, 0, 0},
- { 2, 3, 4, 0, 0, 0, 0, 0},
- { 0, 2, 3, 4, 0, 0, 0, 0},
- { 1, 2, 3, 4, 0, 0, 0, 0},
- { 0, 1, 2, 3, 4, 0, 0, 0},
- { 5, 0, 0, 0, 0, 0, 0, 0},
- { 0, 5, 0, 0, 0, 0, 0, 0},
- { 1, 5, 0, 0, 0, 0, 0, 0},
- { 0, 1, 5, 0, 0, 0, 0, 0},
- { 2, 5, 0, 0, 0, 0, 0, 0},
- { 0, 2, 5, 0, 0, 0, 0, 0},
- { 1, 2, 5, 0, 0, 0, 0, 0},
- { 0, 1, 2, 5, 0, 0, 0, 0},
- { 3, 5, 0, 0, 0, 0, 0, 0},
- { 0, 3, 5, 0, 0, 0, 0, 0},
- { 1, 3, 5, 0, 0, 0, 0, 0},
- { 0, 1, 3, 5, 0, 0, 0, 0},
- { 2, 3, 5, 0, 0, 0, 0, 0},
- { 0, 2, 3, 5, 0, 0, 0, 0},
- { 1, 2, 3, 5, 0, 0, 0, 0},
- { 0, 1, 2, 3, 5, 0, 0, 0},
- { 4, 5, 0, 0, 0, 0, 0, 0},
- { 0, 4, 5, 0, 0, 0, 0, 0},
- { 1, 4, 5, 0, 0, 0, 0, 0},
- { 0, 1, 4, 5, 0, 0, 0, 0},
- { 2, 4, 5, 0, 0, 0, 0, 0},
- { 0, 2, 4, 5, 0, 0, 0, 0},
- { 1, 2, 4, 5, 0, 0, 0, 0},
- { 0, 1, 2, 4, 5, 0, 0, 0},
- { 3, 4, 5, 0, 0, 0, 0, 0},
- { 0, 3, 4, 5, 0, 0, 0, 0},
- { 1, 3, 4, 5, 0, 0, 0, 0},
- { 0, 1, 3, 4, 5, 0, 0, 0},
- { 2, 3, 4, 5, 0, 0, 0, 0},
- { 0, 2, 3, 4, 5, 0, 0, 0},
- { 1, 2, 3, 4, 5, 0, 0, 0},
- { 0, 1, 2, 3, 4, 5, 0, 0},
- { 6, 0, 0, 0, 0, 0, 0, 0},
- { 0, 6, 0, 0, 0, 0, 0, 0},
- { 1, 6, 0, 0, 0, 0, 0, 0},
- { 0, 1, 6, 0, 0, 0, 0, 0},
- { 2, 6, 0, 0, 0, 0, 0, 0},
- { 0, 2, 6, 0, 0, 0, 0, 0},
- { 1, 2, 6, 0, 0, 0, 0, 0},
- { 0, 1, 2, 6, 0, 0, 0, 0},
- { 3, 6, 0, 0, 0, 0, 0, 0},
- { 0, 3, 6, 0, 0, 0, 0, 0},
- { 1, 3, 6, 0, 0, 0, 0, 0},
- { 0, 1, 3, 6, 0, 0, 0, 0},
- { 2, 3, 6, 0, 0, 0, 0, 0},
- { 0, 2, 3, 6, 0, 0, 0, 0},
- { 1, 2, 3, 6, 0, 0, 0, 0},
- { 0, 1, 2, 3, 6, 0, 0, 0},
- { 4, 6, 0, 0, 0, 0, 0, 0},
- { 0, 4, 6, 0, 0, 0, 0, 0},
- { 1, 4, 6, 0, 0, 0, 0, 0},
- { 0, 1, 4, 6, 0, 0, 0, 0},
- { 2, 4, 6, 0, 0, 0, 0, 0},
- { 0, 2, 4, 6, 0, 0, 0, 0},
- { 1, 2, 4, 6, 0, 0, 0, 0},
- { 0, 1, 2, 4, 6, 0, 0, 0},
- { 3, 4, 6, 0, 0, 0, 0, 0},
- { 0, 3, 4, 6, 0, 0, 0, 0},
- { 1, 3, 4, 6, 0, 0, 0, 0},
- { 0, 1, 3, 4, 6, 0, 0, 0},
- { 2, 3, 4, 6, 0, 0, 0, 0},
- { 0, 2, 3, 4, 6, 0, 0, 0},
- { 1, 2, 3, 4, 6, 0, 0, 0},
- { 0, 1, 2, 3, 4, 6, 0, 0},
- { 5, 6, 0, 0, 0, 0, 0, 0},
- { 0, 5, 6, 0, 0, 0, 0, 0},
- { 1, 5, 6, 0, 0, 0, 0, 0},
- { 0, 1, 5, 6, 0, 0, 0, 0},
- { 2, 5, 6, 0, 0, 0, 0, 0},
- { 0, 2, 5, 6, 0, 0, 0, 0},
- { 1, 2, 5, 6, 0, 0, 0, 0},
- { 0, 1, 2, 5, 6, 0, 0, 0},
- { 3, 5, 6, 0, 0, 0, 0, 0},
- { 0, 3, 5, 6, 0, 0, 0, 0},
- { 1, 3, 5, 6, 0, 0, 0, 0},
- { 0, 1, 3, 5, 6, 0, 0, 0},
- { 2, 3, 5, 6, 0, 0, 0, 0},
- { 0, 2, 3, 5, 6, 0, 0, 0},
- { 1, 2, 3, 5, 6, 0, 0, 0},
- { 0, 1, 2, 3, 5, 6, 0, 0},
- { 4, 5, 6, 0, 0, 0, 0, 0},
- { 0, 4, 5, 6, 0, 0, 0, 0},
- { 1, 4, 5, 6, 0, 0, 0, 0},
- { 0, 1, 4, 5, 6, 0, 0, 0},
- { 2, 4, 5, 6, 0, 0, 0, 0},
- { 0, 2, 4, 5, 6, 0, 0, 0},
- { 1, 2, 4, 5, 6, 0, 0, 0},
- { 0, 1, 2, 4, 5, 6, 0, 0},
- { 3, 4, 5, 6, 0, 0, 0, 0},
- { 0, 3, 4, 5, 6, 0, 0, 0},
- { 1, 3, 4, 5, 6, 0, 0, 0},
- { 0, 1, 3, 4, 5, 6, 0, 0},
- { 2, 3, 4, 5, 6, 0, 0, 0},
- { 0, 2, 3, 4, 5, 6, 0, 0},
- { 1, 2, 3, 4, 5, 6, 0, 0},
- { 0, 1, 2, 3, 4, 5, 6, 0},
- { 7, 0, 0, 0, 0, 0, 0, 0},
- { 0, 7, 0, 0, 0, 0, 0, 0},
- { 1, 7, 0, 0, 0, 0, 0, 0},
- { 0, 1, 7, 0, 0, 0, 0, 0},
- { 2, 7, 0, 0, 0, 0, 0, 0},
- { 0, 2, 7, 0, 0, 0, 0, 0},
- { 1, 2, 7, 0, 0, 0, 0, 0},
- { 0, 1, 2, 7, 0, 0, 0, 0},
- { 3, 7, 0, 0, 0, 0, 0, 0},
- { 0, 3, 7, 0, 0, 0, 0, 0},
- { 1, 3, 7, 0, 0, 0, 0, 0},
- { 0, 1, 3, 7, 0, 0, 0, 0},
- { 2, 3, 7, 0, 0, 0, 0, 0},
- { 0, 2, 3, 7, 0, 0, 0, 0},
- { 1, 2, 3, 7, 0, 0, 0, 0},
- { 0, 1, 2, 3, 7, 0, 0, 0},
- { 4, 7, 0, 0, 0, 0, 0, 0},
- { 0, 4, 7, 0, 0, 0, 0, 0},
- { 1, 4, 7, 0, 0, 0, 0, 0},
- { 0, 1, 4, 7, 0, 0, 0, 0},
- { 2, 4, 7, 0, 0, 0, 0, 0},
- { 0, 2, 4, 7, 0, 0, 0, 0},
- { 1, 2, 4, 7, 0, 0, 0, 0},
- { 0, 1, 2, 4, 7, 0, 0, 0},
- { 3, 4, 7, 0, 0, 0, 0, 0},
- { 0, 3, 4, 7, 0, 0, 0, 0},
- { 1, 3, 4, 7, 0, 0, 0, 0},
- { 0, 1, 3, 4, 7, 0, 0, 0},
- { 2, 3, 4, 7, 0, 0, 0, 0},
- { 0, 2, 3, 4, 7, 0, 0, 0},
- { 1, 2, 3, 4, 7, 0, 0, 0},
- { 0, 1, 2, 3, 4, 7, 0, 0},
- { 5, 7, 0, 0, 0, 0, 0, 0},
- { 0, 5, 7, 0, 0, 0, 0, 0},
- { 1, 5, 7, 0, 0, 0, 0, 0},
- { 0, 1, 5, 7, 0, 0, 0, 0},
- { 2, 5, 7, 0, 0, 0, 0, 0},
- { 0, 2, 5, 7, 0, 0, 0, 0},
- { 1, 2, 5, 7, 0, 0, 0, 0},
- { 0, 1, 2, 5, 7, 0, 0, 0},
- { 3, 5, 7, 0, 0, 0, 0, 0},
- { 0, 3, 5, 7, 0, 0, 0, 0},
- { 1, 3, 5, 7, 0, 0, 0, 0},
- { 0, 1, 3, 5, 7, 0, 0, 0},
- { 2, 3, 5, 7, 0, 0, 0, 0},
- { 0, 2, 3, 5, 7, 0, 0, 0},
- { 1, 2, 3, 5, 7, 0, 0, 0},
- { 0, 1, 2, 3, 5, 7, 0, 0},
- { 4, 5, 7, 0, 0, 0, 0, 0},
- { 0, 4, 5, 7, 0, 0, 0, 0},
- { 1, 4, 5, 7, 0, 0, 0, 0},
- { 0, 1, 4, 5, 7, 0, 0, 0},
- { 2, 4, 5, 7, 0, 0, 0, 0},
- { 0, 2, 4, 5, 7, 0, 0, 0},
- { 1, 2, 4, 5, 7, 0, 0, 0},
- { 0, 1, 2, 4, 5, 7, 0, 0},
- { 3, 4, 5, 7, 0, 0, 0, 0},
- { 0, 3, 4, 5, 7, 0, 0, 0},
- { 1, 3, 4, 5, 7, 0, 0, 0},
- { 0, 1, 3, 4, 5, 7, 0, 0},
- { 2, 3, 4, 5, 7, 0, 0, 0},
- { 0, 2, 3, 4, 5, 7, 0, 0},
- { 1, 2, 3, 4, 5, 7, 0, 0},
- { 0, 1, 2, 3, 4, 5, 7, 0},
- { 6, 7, 0, 0, 0, 0, 0, 0},
- { 0, 6, 7, 0, 0, 0, 0, 0},
- { 1, 6, 7, 0, 0, 0, 0, 0},
- { 0, 1, 6, 7, 0, 0, 0, 0},
- { 2, 6, 7, 0, 0, 0, 0, 0},
- { 0, 2, 6, 7, 0, 0, 0, 0},
- { 1, 2, 6, 7, 0, 0, 0, 0},
- { 0, 1, 2, 6, 7, 0, 0, 0},
- { 3, 6, 7, 0, 0, 0, 0, 0},
- { 0, 3, 6, 7, 0, 0, 0, 0},
- { 1, 3, 6, 7, 0, 0, 0, 0},
- { 0, 1, 3, 6, 7, 0, 0, 0},
- { 2, 3, 6, 7, 0, 0, 0, 0},
- { 0, 2, 3, 6, 7, 0, 0, 0},
- { 1, 2, 3, 6, 7, 0, 0, 0},
- { 0, 1, 2, 3, 6, 7, 0, 0},
- { 4, 6, 7, 0, 0, 0, 0, 0},
- { 0, 4, 6, 7, 0, 0, 0, 0},
- { 1, 4, 6, 7, 0, 0, 0, 0},
- { 0, 1, 4, 6, 7, 0, 0, 0},
- { 2, 4, 6, 7, 0, 0, 0, 0},
- { 0, 2, 4, 6, 7, 0, 0, 0},
- { 1, 2, 4, 6, 7, 0, 0, 0},
- { 0, 1, 2, 4, 6, 7, 0, 0},
- { 3, 4, 6, 7, 0, 0, 0, 0},
- { 0, 3, 4, 6, 7, 0, 0, 0},
- { 1, 3, 4, 6, 7, 0, 0, 0},
- { 0, 1, 3, 4, 6, 7, 0, 0},
- { 2, 3, 4, 6, 7, 0, 0, 0},
- { 0, 2, 3, 4, 6, 7, 0, 0},
- { 1, 2, 3, 4, 6, 7, 0, 0},
- { 0, 1, 2, 3, 4, 6, 7, 0},
- { 5, 6, 7, 0, 0, 0, 0, 0},
- { 0, 5, 6, 7, 0, 0, 0, 0},
- { 1, 5, 6, 7, 0, 0, 0, 0},
- { 0, 1, 5, 6, 7, 0, 0, 0},
- { 2, 5, 6, 7, 0, 0, 0, 0},
- { 0, 2, 5, 6, 7, 0, 0, 0},
- { 1, 2, 5, 6, 7, 0, 0, 0},
- { 0, 1, 2, 5, 6, 7, 0, 0},
- { 3, 5, 6, 7, 0, 0, 0, 0},
- { 0, 3, 5, 6, 7, 0, 0, 0},
- { 1, 3, 5, 6, 7, 0, 0, 0},
- { 0, 1, 3, 5, 6, 7, 0, 0},
- { 2, 3, 5, 6, 7, 0, 0, 0},
- { 0, 2, 3, 5, 6, 7, 0, 0},
- { 1, 2, 3, 5, 6, 7, 0, 0},
- { 0, 1, 2, 3, 5, 6, 7, 0},
- { 4, 5, 6, 7, 0, 0, 0, 0},
- { 0, 4, 5, 6, 7, 0, 0, 0},
- { 1, 4, 5, 6, 7, 0, 0, 0},
- { 0, 1, 4, 5, 6, 7, 0, 0},
- { 2, 4, 5, 6, 7, 0, 0, 0},
- { 0, 2, 4, 5, 6, 7, 0, 0},
- { 1, 2, 4, 5, 6, 7, 0, 0},
- { 0, 1, 2, 4, 5, 6, 7, 0},
- { 3, 4, 5, 6, 7, 0, 0, 0},
- { 0, 3, 4, 5, 6, 7, 0, 0},
- { 1, 3, 4, 5, 6, 7, 0, 0},
- { 0, 1, 3, 4, 5, 6, 7, 0},
- { 2, 3, 4, 5, 6, 7, 0, 0},
- { 0, 2, 3, 4, 5, 6, 7, 0},
- { 1, 2, 3, 4, 5, 6, 7, 0},
- { 0, 1, 2, 3, 4, 5, 6, 7}
-};
-
-unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_BUFLEN+8])
-{
- unsigned int ctr, pos;
- uint32_t good;
- __m256i d, tmp;
- const __m256i bound = _mm256_set1_epi32(Q);
- const __m256i mask = _mm256_set1_epi32(0x7FFFFF);
- const __m256i idx8 = _mm256_set_epi8(-1,15,14,13,-1,12,11,10,
- -1, 9, 8, 7,-1, 6, 5, 4,
- -1,11,10, 9,-1, 8, 7, 6,
- -1, 5, 4, 3,-1, 2, 1, 0);
-
- ctr = pos = 0;
- while(pos <= REJ_UNIFORM_BUFLEN - 24) {
- d = _mm256_loadu_si256((__m256i *)&buf[pos]);
- d = _mm256_permute4x64_epi64(d, 0x94);
- d = _mm256_shuffle_epi8(d, idx8);
- d = _mm256_and_si256(d, mask);
- pos += 24;
-
- tmp = _mm256_sub_epi32(d, bound);
- good = _mm256_movemask_ps((__m256)tmp);
- tmp = _mm256_cvtepu8_epi32(_mm_loadl_epi64((__m128i *)&idxlut[good]));
- d = _mm256_permutevar8x32_epi32(d, tmp);
-
- _mm256_storeu_si256((__m256i *)&r[ctr], d);
- ctr += _mm_popcnt_u32(good);
-
-#ifndef DILITHIUM_USE_AES
- if(ctr > N - 8) break;
-#endif
- }
-
-#ifndef DILITHIUM_USE_AES
- uint32_t t;
- while(ctr < N && pos <= REJ_UNIFORM_BUFLEN - 3) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- r[ctr++] = t;
- }
-#endif
-
- return ctr;
-}
-
-#if ETA == 2
-unsigned int rej_eta_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) {
- unsigned int ctr, pos;
- uint32_t good;
- __m256i f0, f1, f2;
- __m128i g0, g1;
- const __m256i mask = _mm256_set1_epi8(15);
- const __m256i eta = _mm256_set1_epi8(ETA);
- const __m256i bound = mask;
- const __m256i v = _mm256_set1_epi32(-6560);
- const __m256i p = _mm256_set1_epi32(5);
-
- ctr = pos = 0;
- while(ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) {
- f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos]));
- f1 = _mm256_slli_epi16(f0,4);
- f0 = _mm256_or_si256(f0,f1);
- f0 = _mm256_and_si256(f0,mask);
-
- f1 = _mm256_sub_epi8(f0,bound);
- f0 = _mm256_sub_epi8(eta,f0);
- good = _mm256_movemask_epi8(f1);
-
- g0 = _mm256_castsi256_si128(f0);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm256_extracti128_si256(f0,1);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good);
- pos += 4;
- }
-
- uint32_t t0, t1;
- while(ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- r[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < N) {
- t1 = t1 - (205*t1 >> 10)*5;
- r[ctr++] = 2 - t1;
- }
- }
-
- return ctr;
-}
-
-#elif ETA == 4
-unsigned int rej_eta_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) {
- unsigned int ctr, pos;
- uint32_t good;
- __m256i f0, f1;
- __m128i g0, g1;
- const __m256i mask = _mm256_set1_epi8(15);
- const __m256i eta = _mm256_set1_epi8(4);
- const __m256i bound = _mm256_set1_epi8(9);
-
- ctr = pos = 0;
- while(ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) {
- f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos]));
- f1 = _mm256_slli_epi16(f0,4);
- f0 = _mm256_or_si256(f0,f1);
- f0 = _mm256_and_si256(f0,mask);
-
- f1 = _mm256_sub_epi8(f0,bound);
- f0 = _mm256_sub_epi8(eta,f0);
- good = _mm256_movemask_epi8(f1);
-
- g0 = _mm256_castsi256_si128(f0);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm256_extracti128_si256(f0,1);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good);
- pos += 4;
- }
-
- uint32_t t0, t1;
- while(ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
- if(t0 < 9)
- r[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < N)
- r[ctr++] = 4 - t1;
- }
-
- return ctr;
-}
-#endif
+++ /dev/null
-#ifndef REJSAMPLE_H
-#define REJSAMPLE_H
-
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-
-#define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
-#define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
-
-#if ETA == 2
-#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-#elif ETA == 4
-#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-#endif
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
-
-#define idxlut DILITHIUM_NAMESPACE(idxlut)
-extern const uint8_t idxlut[256][8];
-
-#define rej_uniform_avx DILITHIUM_NAMESPACE(rej_uniform_avx)
-unsigned int rej_uniform_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN+8]);
-
-#define rej_eta_avx DILITHIUM_NAMESPACE(rej_eta_avx)
-unsigned int rej_eta_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]);
-
-#endif
-
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include <string.h>
-#include "params.h"
-#include "rounding.h"
-#include "rejsample.h"
-#include "consts.h"
-
-#define _mm256_blendv_epi32(a,b,mask) \
- _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \
- _mm256_castsi256_ps(b), \
- _mm256_castsi256_ps(mask)))
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field elements a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be positive standard representative.
-*
-* Arguments: - __m256i *a1: output array of length N/8 with high bits
-* - __m256i *a0: output array of length N/8 with low bits a0
-* - const __m256i *a: input array of length N/8
-*
-**************************************************/
-void power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1;
- const __m256i mask = _mm256_set1_epi32(-(1 << D));
- const __m256i half = _mm256_set1_epi32((1 << (D-1)) - 1);
-
- for(i = 0; i < N/8; ++i) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,half);
- f0 = _mm256_and_si256(f1,mask);
- f1 = _mm256_srli_epi32(f1,D);
- f0 = _mm256_sub_epi32(f,f0);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low parts a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod Q - Q < 0. Assumes a to be positive standard
-* representative.
-*
-* Arguments: - __m256i *a1: output array of length N/8 with high parts
-* - __m256i *a0: output array of length N/8 with low parts a0
-* - const __m256i *a: input array of length N/8
-*
-**************************************************/
-#if GAMMA2 == (Q-1)/32
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i hq = _mm256_srli_epi32(q,1);
- const __m256i v = _mm256_set1_epi32(1025);
- const __m256i alpha = _mm256_set1_epi32(2*GAMMA2);
- const __m256i off = _mm256_set1_epi32(127);
- const __m256i shift = _mm256_set1_epi32(512);
- const __m256i mask = _mm256_set1_epi32(15);
-
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,off);
- f1 = _mm256_srli_epi32(f1,7);
- f1 = _mm256_mulhi_epu16(f1,v);
- f1 = _mm256_mulhrs_epi16(f1,shift);
- f1 = _mm256_and_si256(f1,mask);
- f0 = _mm256_mullo_epi32(f1,alpha);
- f0 = _mm256_sub_epi32(f,f0);
- f = _mm256_cmpgt_epi32(f0,hq);
- f = _mm256_and_si256(f,q);
- f0 = _mm256_sub_epi32(f0,f);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-
-#elif GAMMA2 == (Q-1)/88
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1,t;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i hq = _mm256_srli_epi32(q,1);
- const __m256i v = _mm256_set1_epi32(11275);
- const __m256i alpha = _mm256_set1_epi32(2*GAMMA2);
- const __m256i off = _mm256_set1_epi32(127);
- const __m256i shift = _mm256_set1_epi32(128);
- const __m256i max = _mm256_set1_epi32(43);
- const __m256i zero = _mm256_setzero_si256();
-
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,off);
- f1 = _mm256_srli_epi32(f1,7);
- f1 = _mm256_mulhi_epu16(f1,v);
- f1 = _mm256_mulhrs_epi16(f1,shift);
- t = _mm256_sub_epi32(max,f1);
- f1 = _mm256_blendv_epi32(f1,zero,t);
- f0 = _mm256_mullo_epi32(f1,alpha);
- f0 = _mm256_sub_epi32(f,f0);
- f = _mm256_cmpgt_epi32(f0,hq);
- f = _mm256_and_si256(f,q);
- f0 = _mm256_sub_epi32(f0,f);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-#endif
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute indices of polynomial coefficients whose low bits
-* overflow into the high bits.
-*
-* Arguments: - uint8_t *hint: hint array
-* - const __m256i *a0: low bits of input elements
-* - const __m256i *a1: high bits of input elements
-*
-* Returns number of overflowing low bits
-**************************************************/
-unsigned int make_hint_avx(uint8_t hint[N], const __m256i * restrict a0, const __m256i * restrict a1)
-{
- unsigned int i, n = 0;
- __m256i f0, f1, g0, g1;
- uint32_t bad;
- uint64_t idx;
- const __m256i low = _mm256_set1_epi32(-GAMMA2);
- const __m256i high = _mm256_set1_epi32(GAMMA2);
-
- for(i = 0; i < N/8; ++i) {
- f0 = _mm256_load_si256(&a0[i]);
- f1 = _mm256_load_si256(&a1[i]);
- g0 = _mm256_abs_epi32(f0);
- g0 = _mm256_cmpgt_epi32(g0,high);
- g1 = _mm256_cmpeq_epi32(f0,low);
- g1 = _mm256_sign_epi32(g1,f1);
- g0 = _mm256_or_si256(g0,g1);
-
- bad = _mm256_movemask_ps((__m256)g0);
- memcpy(&idx,idxlut[bad],8);
- idx += (uint64_t)0x0808080808080808*i;
- memcpy(&hint[n],&idx,8);
- n += _mm_popcnt_u32(bad);
- }
-
- return n;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high parts according to hint.
-*
-* Arguments: - __m256i *b: output array of length N/8 with corrected high parts
-* - const __m256i *a: input array of length N/8
-* - const __m256i *a: input array of length N/8 with hint bits
-*
-**************************************************/
-void use_hint_avx(__m256i *b, const __m256i *a, const __m256i * restrict hint) {
- unsigned int i;
- __m256i a0[N/8];
- __m256i f,g,h,t;
- const __m256i zero = _mm256_setzero_si256();
-#if GAMMA2 == (Q-1)/32
- const __m256i mask = _mm256_set1_epi32(15);
-#elif GAMMA2 == (Q-1)/88
- const __m256i max = _mm256_set1_epi32(43);
-#endif
-
- decompose_avx(b, a0, a);
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a0[i]);
- g = _mm256_load_si256(&b[i]);
- h = _mm256_load_si256(&hint[i]);
- t = _mm256_blendv_epi32(zero,h,f);
- t = _mm256_slli_epi32(t,1);
- h = _mm256_sub_epi32(h,t);
- g = _mm256_add_epi32(g,h);
-#if GAMMA2 == (Q-1)/32
- g = _mm256_and_si256(g,mask);
-#elif GAMMA2 == (Q-1)/88
- g = _mm256_blendv_epi32(g,max,g);
- f = _mm256_cmpgt_epi32(g,max);
- g = _mm256_blendv_epi32(g,zero,f);
-#endif
- _mm256_store_si256(&b[i],g);
- }
-}
+++ /dev/null
-#ifndef ROUNDING_H
-#define ROUNDING_H
-
-#include <stdint.h>
-#include <immintrin.h>
-#include "params.h"
-
-#define power2round_avx DILITHIUM_NAMESPACE(power2round_avx)
-void power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a);
-#define decompose_avx DILITHIUM_NAMESPACE(decompose_avx)
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a);
-#define make_hint_avx DILITHIUM_NAMESPACE(make_hint_avx)
-unsigned int make_hint_avx(uint8_t hint[N], const __m256i *a0, const __m256i *a1);
-#define use_hint_avx DILITHIUM_NAMESPACE(use_hint_avx)
-void use_hint_avx(__m256i *b, const __m256i *a, const __m256i *hint);
-
-#endif
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.text
-nttunpack128_avx:
-#load
-vmovdqa (%rdi),%ymm4
-vmovdqa 32(%rdi),%ymm5
-vmovdqa 64(%rdi),%ymm6
-vmovdqa 96(%rdi),%ymm7
-vmovdqa 128(%rdi),%ymm8
-vmovdqa 160(%rdi),%ymm9
-vmovdqa 192(%rdi),%ymm10
-vmovdqa 224(%rdi),%ymm11
-
-shuffle8 4,8,3,8
-shuffle8 5,9,4,9
-shuffle8 6,10,5,10
-shuffle8 7,11,6,11
-
-shuffle4 3,5,7,5
-shuffle4 8,10,3,10
-shuffle4 4,6,8,6
-shuffle4 9,11,4,11
-
-shuffle2 7,8,9,8
-shuffle2 5,6,7,6
-shuffle2 3,4,5,4
-shuffle2 10,11,3,11
-
-#store
-vmovdqa %ymm9,(%rdi)
-vmovdqa %ymm8,32(%rdi)
-vmovdqa %ymm7,64(%rdi)
-vmovdqa %ymm6,96(%rdi)
-vmovdqa %ymm5,128(%rdi)
-vmovdqa %ymm4,160(%rdi)
-vmovdqa %ymm3,192(%rdi)
-vmovdqa %ymm11,224(%rdi)
-
-ret
-
-.global cdecl(nttunpack_avx)
-cdecl(nttunpack_avx):
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-ret
+++ /dev/null
-.macro shuffle8 r0,r1,r2,r3
-vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2
-vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle4 r0,r1,r2,r3
-vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2
-vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle2 r0,r1,r2,r3
-#vpsllq $32,%ymm\r1,%ymm\r2
-vmovsldup %ymm\r1,%ymm\r2
-vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2
-vpsrlq $32,%ymm\r0,%ymm\r0
-#vmovshdup %ymm\r0,%ymm\r0
-vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle1 r0,r1,r2,r3
-vpslld $16,%ymm\r1,%ymm\r2
-vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2
-vpsrld $16,%ymm\r0,%ymm\r0
-vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
+++ /dev/null
-#include <stdint.h>
-#include <string.h>
-#include "align.h"
-#include "params.h"
-#include "sign.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "randombytes.h"
-#include "symmetric.h"
-#include "fips202.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-
-#ifndef DILITHIUM_USE_AES
-static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], const uint8_t rho[SEEDBYTES], unsigned int i) {
- switch(i) {
- case 0:
- polyvec_matrix_expand_row0(buf, buf + 1, rho);
- *row = buf;
- break;
- case 1:
- polyvec_matrix_expand_row1(buf + 1, buf, rho);
- *row = buf + 1;
- break;
- case 2:
- polyvec_matrix_expand_row2(buf, buf + 1, rho);
- *row = buf;
- break;
- case 3:
- polyvec_matrix_expand_row3(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#if K > 4
- case 4:
- polyvec_matrix_expand_row4(buf, buf + 1, rho);
- *row = buf;
- break;
- case 5:
- polyvec_matrix_expand_row5(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#endif
-#if K > 6
- case 6:
- polyvec_matrix_expand_row6(buf, buf + 1, rho);
- *row = buf;
- break;
- case 7:
- polyvec_matrix_expand_row7(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#endif
- }
-}
-#endif
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- unsigned int i;
- uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- const uint8_t *rho, *rhoprime, *key;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
- polyvecl rowbuf[2];
-#endif
- polyvecl s1, *row = rowbuf;
- polyveck s2;
- poly t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Store rho, key */
- memcpy(pk, rho, SEEDBYTES);
- memcpy(sk, rho, SEEDBYTES);
- memcpy(sk + SEEDBYTES, key, SEEDBYTES);
-
- /* Sample short vectors s1 and s2 */
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
- aes256_ctx_release(&aesctx);
-#elif K == 4 && L == 4
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
-#elif K == 6 && L == 5
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s1.vec[4], &s2.vec[0], &s2.vec[1], &s2.vec[2], rhoprime, 4, 5, 6, 7);
- poly_uniform_eta_4x(&s2.vec[3], &s2.vec[4], &s2.vec[5], &t0, rhoprime, 8, 9, 10, 11);
-#elif K == 8 && L == 7
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s1.vec[4], &s1.vec[5], &s1.vec[6], &s2.vec[0], rhoprime, 4, 5, 6, 7);
- poly_uniform_eta_4x(&s2.vec[1], &s2.vec[2], &s2.vec[3], &s2.vec[4], rhoprime, 8, 9, 10, 11);
- poly_uniform_eta_4x(&s2.vec[5], &s2.vec[6], &s2.vec[7], &t0, rhoprime, 12, 13, 14, 15);
-#else
-#error
-#endif
-
- /* Pack secret vectors */
- for(i = 0; i < L; i++)
- polyeta_pack(sk + 3*SEEDBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
- for(i = 0; i < K; i++)
- polyeta_pack(sk + 3*SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
-
- /* Transform s1 */
- polyvecl_ntt(&s1);
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rho, 0);
-#endif
-
- for(i = 0; i < K; i++) {
- /* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
- polyvec_matrix_expand_row(&row, rowbuf, rho, i);
-#endif
-
- /* Compute inner-product */
- polyvecl_pointwise_acc_montgomery(&t1, row, &s1);
- poly_invntt_tomont(&t1);
-
- /* Add error polynomial */
- poly_add(&t1, &t1, &s2.vec[i]);
-
- /* Round t and pack t1, t0 */
- poly_caddq(&t1);
- poly_power2round(&t1, &t0, &t1);
- polyt1_pack(pk + SEEDBYTES + i*POLYT1_PACKEDBYTES, &t1);
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- /* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
- unsigned int i, n, pos;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint8_t hintbuf[N];
- uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
- uint64_t nonce = 0;
- polyvecl mat[K], s1, z;
- polyveck t0, s2, w1;
- poly c, tmp;
- union {
- polyvecl y;
- polyveck w0;
- } tmpv;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
-#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-#endif
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
-#endif
-
-rej:
- /* Sample intermediate vector y */
-#ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
- aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-#elif L == 4
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- nonce += 4;
-#elif L == 5
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- poly_uniform_gamma1(&z.vec[4], rhoprime, nonce + 4);
- nonce += 5;
-#elif L == 7
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- poly_uniform_gamma1_4x(&z.vec[4], &z.vec[5], &z.vec[6], &tmp,
- rhoprime, nonce + 4, nonce + 5, nonce + 6, 0);
- nonce += 7;
-#else
-#error
-#endif
-
- /* Matrix-vector product */
- tmpv.y = z;
- polyvecl_ntt(&tmpv.y);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &tmpv.y);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &tmpv.w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&c, sig);
- poly_ntt(&c);
-
- /* Compute z, reject if it reveals secret */
- for(i = 0; i < L; i++) {
- poly_pointwise_montgomery(&tmp, &c, &s1.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_add(&z.vec[i], &z.vec[i], &tmp);
- poly_reduce(&z.vec[i]);
- if(poly_chknorm(&z.vec[i], GAMMA1 - BETA))
- goto rej;
- }
-
- /* Zero hint vector in signature */
- pos = 0;
- memset(hint, 0, OMEGA);
-
- for(i = 0; i < K; i++) {
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- poly_pointwise_montgomery(&tmp, &c, &s2.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_sub(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp);
- poly_reduce(&tmpv.w0.vec[i]);
- if(poly_chknorm(&tmpv.w0.vec[i], GAMMA2 - BETA))
- goto rej;
-
- /* Compute hints */
- poly_pointwise_montgomery(&tmp, &c, &t0.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_reduce(&tmp);
- if(poly_chknorm(&tmp, GAMMA2))
- goto rej;
-
- poly_add(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp);
- n = poly_make_hint(hintbuf, &tmpv.w0.vec[i], &w1.vec[i]);
- if(pos + n > OMEGA)
- goto rej;
-
- /* Store hints in signature */
- memcpy(&hint[pos], hintbuf, n);
- hint[OMEGA + i] = pos = pos + n;
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- shake256_inc_ctx_release(&state);
- /* Pack z into signature */
- for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
-
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
- size_t i;
-
- for(i = 0; i < mlen; ++i)
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) {
- unsigned int i, j, pos = 0;
- /* polyw1_pack writes additional 14 bytes */
- ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
- uint8_t mu[CRHBYTES];
- const uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
- polyvecl rowbuf[2];
-#endif
- polyvecl *row = rowbuf;
- polyvecl z;
- poly c, w1, h;
- shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- /* Expand challenge */
- poly_challenge(&c, sig);
- poly_ntt(&c);
-
- /* Unpack z; shortness follows from unpacking */
- for(i = 0; i < L; i++) {
- polyz_unpack(&z.vec[i], sig + SEEDBYTES + i*POLYZ_PACKEDBYTES);
- poly_ntt(&z.vec[i]);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, pk, 0);
-#endif
-
- for(i = 0; i < K; i++) {
- /* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
- polyvec_matrix_expand_row(&row, rowbuf, pk, i);
-#endif
-
- /* Compute i-th row of Az - c2^Dt1 */
- polyvecl_pointwise_acc_montgomery(&w1, row, &z);
-
- polyt1_unpack(&h, pk + SEEDBYTES + i*POLYT1_PACKEDBYTES);
- poly_shiftl(&h);
- poly_ntt(&h);
- poly_pointwise_montgomery(&h, &c, &h);
-
- poly_sub(&w1, &w1, &h);
- poly_reduce(&w1);
- poly_invntt_tomont(&w1);
-
- /* Get hint polynomial and reconstruct w1 */
- memset(h.vec, 0, sizeof(poly));
- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
-
- for(j = pos; j < hint[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > pos && hint[j] <= hint[j-1]) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
- h.coeffs[hint[j]] = 1;
- }
- pos = hint[OMEGA + i];
-
- poly_caddq(&w1);
- poly_use_hint(&w1, &w1, &h);
- polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- /* Extra indices are zero for strong unforgeability */
- for(j = pos; j < OMEGA; ++j)
- if(hint[j]) return -1;
-
- /* Call random oracle and verify challenge */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(buf.coeffs[i] != sig[i])
- return -1;
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) {
- size_t i;
-
- if(smlen < CRYPTO_BYTES)
- goto badsig;
-
- *mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
- goto badsig;
- else {
- /* All good, copy msg, return 0 */
- for(i = 0; i < *mlen; ++i)
- m[i] = sm[CRYPTO_BYTES + i];
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = -1;
- for(i = 0; i < smlen; ++i)
- m[i] = 0;
-
- return -1;
-}
+++ /dev/null
-#ifndef SIGN_H
-#define SIGN_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
+++ /dev/null
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-
-#include <stdint.h>
-#include "params.h"
-
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) aes256_ctx_release(STATE)
-
-#else
-
-#include "fips202.h"
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-#endif
-
-#endif
+++ /dev/null
-Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
-or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
-
-For Keccak and the random number generator
-we are using public-domain code from sources
-and by authors listed in comments on top of
-the respective files.
+++ /dev/null
-#ifndef API_H
-#define API_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_ref_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_ref_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_ref_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium2aes_ref_PUBLICKEYBYTES pqcrystals_dilithium2_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_ref_SECRETKEYBYTES pqcrystals_dilithium2_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_ref_BYTES pqcrystals_dilithium2_ref_BYTES
-
-int pqcrystals_dilithium2aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
-
-#define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_ref_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_ref_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3aes_ref_PUBLICKEYBYTES pqcrystals_dilithium3_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_ref_SECRETKEYBYTES pqcrystals_dilithium3_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_ref_BYTES pqcrystals_dilithium3_ref_BYTES
-
-int pqcrystals_dilithium3aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
-
-#define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_ref_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_ref_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5aes_ref_PUBLICKEYBYTES pqcrystals_dilithium5_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_ref_SECRETKEYBYTES pqcrystals_dilithium5_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_ref_BYTES pqcrystals_dilithium5_ref_BYTES
-
-int pqcrystals_dilithium5aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_ref_##s
-#endif
-#else
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
-#endif
-#endif
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "ntt.h"
-#include "reduce.h"
-
-static const int32_t zetas[N] = {
- 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468,
- 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103,
- 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549,
- -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005,
- 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439,
- -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299,
- -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596,
- 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779,
- -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221,
- -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922,
- 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047,
- -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430,
- -3343383, 264944, 508951, 3097992, 44288, -1100098, 904516, 3958618,
- -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856,
- 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330,
- 1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961,
- 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462,
- 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378,
- 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500,
- -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838,
- 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044,
- 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974,
- -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970,
- -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642,
- -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031,
- -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993,
- -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385,
- -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107,
- -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078,
- -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893,
- -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687,
- -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782
-};
-
-/*************************************************
-* Name: ntt
-*
-* Description: Forward NTT, in-place. No modular reduction is performed after
-* additions or subtractions. Output vector is in bitreversed order.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void ntt(int32_t a[N]) {
- unsigned int len, start, j, k;
- int32_t zeta, t;
-
- k = 0;
- for(len = 128; len > 0; len >>= 1) {
- for(start = 0; start < N; start = j + len) {
- zeta = zetas[++k];
- for(j = start; j < start + len; ++j) {
- t = montgomery_reduce((int64_t)zeta * a[j + len]);
- a[j + len] = a[j] - t;
- a[j] = a[j] + t;
- }
- }
- }
-}
-
-/*************************************************
-* Name: invntt_tomont
-*
-* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
-* In-place. No modular reductions after additions or
-* subtractions; input coefficients need to be smaller than
-* Q in absolute value. Output coefficient are smaller than Q in
-* absolute value.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void invntt_tomont(int32_t a[N]) {
- unsigned int start, len, j, k;
- int32_t t, zeta;
- const int32_t f = 41978; // mont^2/256
-
- k = 256;
- for(len = 1; len < N; len <<= 1) {
- for(start = 0; start < N; start = j + len) {
- zeta = -zetas[--k];
- for(j = start; j < start + len; ++j) {
- t = a[j];
- a[j] = t + a[j + len];
- a[j + len] = t - a[j + len];
- a[j + len] = montgomery_reduce((int64_t)zeta * a[j + len]);
- }
- }
- }
-
- for(j = 0; j < N; ++j) {
- a[j] = montgomery_reduce((int64_t)f * a[j]);
- }
-}
+++ /dev/null
-#ifndef NTT_H
-#define NTT_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define ntt DILITHIUM_NAMESPACE(ntt)
-void ntt(int32_t a[N]);
-
-#define invntt_tomont DILITHIUM_NAMESPACE(invntt_tomont)
-void invntt_tomont(int32_t a[N]);
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- pk[i] = rho[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = pk[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = rho[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = key[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = tr[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s2->vec[i]);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt0_pack(sk + i*POLYT0_PACKEDBYTES, &t0->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- key[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- tr[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i=0; i < L; ++i)
- polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyeta_unpack(&s2->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyt0_unpack(&t0->vec[i], sk + i*POLYT0_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h)
-{
- unsigned int i, j, k;
-
- for(i=0; i < SEEDBYTES; ++i)
- sig[i] = c[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for(i = 0; i < OMEGA + K; ++i)
- sig[i] = 0;
-
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- if(h->vec[i].coeffs[j] != 0)
- sig[k++] = j;
-
- sig[OMEGA + i] = k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES])
-{
- unsigned int i, j, k;
-
- for(i = 0; i < SEEDBYTES; ++i)
- c[i] = sig[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- h->vec[i].coeffs[j] = 0;
-
- if(sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA)
- return 1;
-
- for(j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > k && sig[j] <= sig[j-1]) return 1;
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for(j = k; j < OMEGA; ++j)
- if(sig[j])
- return 1;
-
- return 0;
-}
+++ /dev/null
-#ifndef PACKING_H
-#define PACKING_H
-
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-#ifndef PARAMS_H
-#define PARAMS_H
-
-#include "config.h"
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-#if DILITHIUM_MODE == 2
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((Q-1)/88)
-#define OMEGA 80
-
-#elif DILITHIUM_MODE == 3
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 55
-
-#elif DILITHIUM_MODE == 5
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 75
-
-#endif
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#if ETA == 2
-#define POLYETA_PACKEDBYTES 96
-#elif ETA == 4
-#define POLYETA_PACKEDBYTES 128
-#endif
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-#include "ntt.h"
-#include "reduce.h"
-#include "rounding.h"
-#include "symmetric.h"
-
-#ifdef DBENCH
-#include "test/cpucycles.h"
-extern const uint64_t timing_overhead;
-extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
-#define DBENCH_START() uint64_t time = cpucycles()
-#define DBENCH_STOP(t) t += cpucycles() - time - timing_overhead
-#else
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-#endif
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_reduce(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] = reduce32(a->coeffs[i]);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_caddq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_caddq(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] = caddq(a->coeffs[i]);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = a->coeffs[i] - b->coeffs[i];
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] <<= D;
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_tomont(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_power2round(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a1->coeffs[i] = power2round(&a0->coeffs[i], a->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a1->coeffs[i] = decompose(&a0->coeffs[i], a->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint polynomial. The coefficients of which indicate
-* whether the low bits of the corresponding coefficient of
-* the input polynomial overflow into the high bits.
-*
-* Arguments: - poly *h: pointer to output hint polynomial
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
- unsigned int i, s = 0;
- DBENCH_START();
-
- for(i = 0; i < N; ++i) {
- h->coeffs[i] = make_hint(a0->coeffs[i], a1->coeffs[i]);
- s += h->coeffs[i];
- }
-
- DBENCH_STOP(*tround);
- return s;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- b->coeffs[i] = use_hint(a->coeffs[i], h->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input coefficients were reduced by reduce32().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int32_t t;
- DBENCH_START();
-
- if(B > (Q-1)/8)
- return 1;
-
- /* It is ok to leak which coefficient violates the bound since
- the probability for each coefficient is independent of secret
- data but we must not leak the sign of the centralized representative. */
- for(i = 0; i < N; ++i) {
- /* Absolute value */
- t = a->coeffs[i] >> 31;
- t = a->coeffs[i] - (t & 2*a->coeffs[i]);
-
- if(t >= B) {
- DBENCH_STOP(*tsample);
- return 1;
- }
- }
-
- DBENCH_STOP(*tsample);
- return 0;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- a[ctr++] = t;
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce)
-{
- unsigned int i, ctr, off;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES + 2];
- stream128_state state;
-
- stream128_init(&state, seed, nonce);
- stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state);
-
- ctr = rej_uniform(a->coeffs, N, buf, buflen);
-
- while(ctr < N) {
- off = buflen % 3;
- for(i = 0; i < off; ++i)
- buf[i] = buf[buflen - off + i];
-
- stream128_squeezeblocks(buf + off, 1, &state);
- buflen = STREAM128_BLOCKBYTES + off;
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
- }
- stream128_release(&state);
-}
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-#if ETA == 2
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- a[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < len) {
- t1 = t1 - (205*t1 >> 10)*5;
- a[ctr++] = 2 - t1;
- }
-#elif ETA == 4
- if(t0 < 9)
- a[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < len)
- a[ctr++] = 4 - t1;
-#endif
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#if ETA == 2
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-#elif ETA == 4
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-#endif
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
-{
- unsigned int ctr;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr = rej_eta(a->coeffs, N, buf, buflen);
-
- while(ctr < N) {
- stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
- }
- stream256_release(&state);
-}
-
-/*************************************************
-* Name: poly_uniform_gamma1m1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
-{
- uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- stream256_release(&state);
- polyz_unpack(a, buf);
-}
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- uint8_t buf[SHAKE256_RATE];
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_squeezeblocks(buf, 1, &state);
-
- signs = 0;
- for(i = 0; i < 8; ++i)
- signs |= (uint64_t)buf[i] << 8*i;
- pos = 8;
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = 0;
- for(i = N-TAU; i < N; ++i) {
- do {
- if(pos >= SHAKE256_RATE) {
- shake256_squeezeblocks(buf, 1, &state);
- pos = 0;
- }
-
- b = buf[pos++];
- } while(b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- t[0] = ETA - a->coeffs[8*i+0];
- t[1] = ETA - a->coeffs[8*i+1];
- t[2] = ETA - a->coeffs[8*i+2];
- t[3] = ETA - a->coeffs[8*i+3];
- t[4] = ETA - a->coeffs[8*i+4];
- t[5] = ETA - a->coeffs[8*i+5];
- t[6] = ETA - a->coeffs[8*i+6];
- t[7] = ETA - a->coeffs[8*i+7];
-
- r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- t[0] = ETA - a->coeffs[2*i+0];
- t[1] = ETA - a->coeffs[2*i+1];
- r[i] = t[0] | (t[1] << 4);
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7;
- r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7;
- r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7;
- r->coeffs[8*i+3] = (a[3*i+1] >> 1) & 7;
- r->coeffs[8*i+4] = (a[3*i+1] >> 4) & 7;
- r->coeffs[8*i+5] = ((a[3*i+1] >> 7) | (a[3*i+2] << 1)) & 7;
- r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7;
- r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7;
-
- r->coeffs[8*i+0] = ETA - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = ETA - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = ETA - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = ETA - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = ETA - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = ETA - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = ETA - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = ETA - r->coeffs[8*i+7];
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[i] & 0x0F;
- r->coeffs[2*i+1] = a[i] >> 4;
- r->coeffs[2*i+0] = ETA - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = ETA - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r[5*i+0] = (a->coeffs[4*i+0] >> 0);
- r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2);
- r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4);
- r[5*i+3] = (a->coeffs[4*i+2] >> 4) | (a->coeffs[4*i+3] << 6);
- r[5*i+4] = (a->coeffs[4*i+3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt1_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF;
- r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF;
- r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF;
- r->coeffs[4*i+3] = ((a[5*i+3] >> 6) | ((uint32_t)a[5*i+4] << 2)) & 0x3FF;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- t[0] = (1 << (D-1)) - a->coeffs[8*i+0];
- t[1] = (1 << (D-1)) - a->coeffs[8*i+1];
- t[2] = (1 << (D-1)) - a->coeffs[8*i+2];
- t[3] = (1 << (D-1)) - a->coeffs[8*i+3];
- t[4] = (1 << (D-1)) - a->coeffs[8*i+4];
- t[5] = (1 << (D-1)) - a->coeffs[8*i+5];
- t[6] = (1 << (D-1)) - a->coeffs[8*i+6];
- t[7] = (1 << (D-1)) - a->coeffs[8*i+7];
-
- r[13*i+ 0] = t[0];
- r[13*i+ 1] = t[0] >> 8;
- r[13*i+ 1] |= t[1] << 5;
- r[13*i+ 2] = t[1] >> 3;
- r[13*i+ 3] = t[1] >> 11;
- r[13*i+ 3] |= t[2] << 2;
- r[13*i+ 4] = t[2] >> 6;
- r[13*i+ 4] |= t[3] << 7;
- r[13*i+ 5] = t[3] >> 1;
- r[13*i+ 6] = t[3] >> 9;
- r[13*i+ 6] |= t[4] << 4;
- r[13*i+ 7] = t[4] >> 4;
- r[13*i+ 8] = t[4] >> 12;
- r[13*i+ 8] |= t[5] << 1;
- r[13*i+ 9] = t[5] >> 7;
- r[13*i+ 9] |= t[6] << 6;
- r[13*i+10] = t[6] >> 2;
- r[13*i+11] = t[6] >> 10;
- r[13*i+11] |= t[7] << 3;
- r[13*i+12] = t[7] >> 5;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = a[13*i+0];
- r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8;
- r->coeffs[8*i+0] &= 0x1FFF;
-
- r->coeffs[8*i+1] = a[13*i+1] >> 5;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+2] << 3;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+3] << 11;
- r->coeffs[8*i+1] &= 0x1FFF;
-
- r->coeffs[8*i+2] = a[13*i+3] >> 2;
- r->coeffs[8*i+2] |= (uint32_t)a[13*i+4] << 6;
- r->coeffs[8*i+2] &= 0x1FFF;
-
- r->coeffs[8*i+3] = a[13*i+4] >> 7;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+5] << 1;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+6] << 9;
- r->coeffs[8*i+3] &= 0x1FFF;
-
- r->coeffs[8*i+4] = a[13*i+6] >> 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+7] << 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+8] << 12;
- r->coeffs[8*i+4] &= 0x1FFF;
-
- r->coeffs[8*i+5] = a[13*i+8] >> 1;
- r->coeffs[8*i+5] |= (uint32_t)a[13*i+9] << 7;
- r->coeffs[8*i+5] &= 0x1FFF;
-
- r->coeffs[8*i+6] = a[13*i+9] >> 6;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+10] << 2;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+11] << 10;
- r->coeffs[8*i+6] &= 0x1FFF;
-
- r->coeffs[8*i+7] = a[13*i+11] >> 3;
- r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5;
- r->coeffs[8*i+7] &= 0x1FFF;
-
- r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4*i+0];
- t[1] = GAMMA1 - a->coeffs[4*i+1];
- t[2] = GAMMA1 - a->coeffs[4*i+2];
- t[3] = GAMMA1 - a->coeffs[4*i+3];
-
- r[9*i+0] = t[0];
- r[9*i+1] = t[0] >> 8;
- r[9*i+2] = t[0] >> 16;
- r[9*i+2] |= t[1] << 2;
- r[9*i+3] = t[1] >> 6;
- r[9*i+4] = t[1] >> 14;
- r[9*i+4] |= t[2] << 4;
- r[9*i+5] = t[2] >> 4;
- r[9*i+6] = t[2] >> 12;
- r[9*i+6] |= t[3] << 6;
- r[9*i+7] = t[3] >> 2;
- r[9*i+8] = t[3] >> 10;
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2*i+0];
- t[1] = GAMMA1 - a->coeffs[2*i+1];
-
- r[5*i+0] = t[0];
- r[5*i+1] = t[0] >> 8;
- r[5*i+2] = t[0] >> 16;
- r[5*i+2] |= t[1] << 4;
- r[5*i+3] = t[1] >> 4;
- r[5*i+4] = t[1] >> 12;
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyz_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = a[9*i+0];
- r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8;
- r->coeffs[4*i+0] |= (uint32_t)a[9*i+2] << 16;
- r->coeffs[4*i+0] &= 0x3FFFF;
-
- r->coeffs[4*i+1] = a[9*i+2] >> 2;
- r->coeffs[4*i+1] |= (uint32_t)a[9*i+3] << 6;
- r->coeffs[4*i+1] |= (uint32_t)a[9*i+4] << 14;
- r->coeffs[4*i+1] &= 0x3FFFF;
-
- r->coeffs[4*i+2] = a[9*i+4] >> 4;
- r->coeffs[4*i+2] |= (uint32_t)a[9*i+5] << 4;
- r->coeffs[4*i+2] |= (uint32_t)a[9*i+6] << 12;
- r->coeffs[4*i+2] &= 0x3FFFF;
-
- r->coeffs[4*i+3] = a[9*i+6] >> 6;
- r->coeffs[4*i+3] |= (uint32_t)a[9*i+7] << 2;
- r->coeffs[4*i+3] |= (uint32_t)a[9*i+8] << 10;
- r->coeffs[4*i+3] &= 0x3FFFF;
-
- r->coeffs[4*i+0] = GAMMA1 - r->coeffs[4*i+0];
- r->coeffs[4*i+1] = GAMMA1 - r->coeffs[4*i+1];
- r->coeffs[4*i+2] = GAMMA1 - r->coeffs[4*i+2];
- r->coeffs[4*i+3] = GAMMA1 - r->coeffs[4*i+3];
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[5*i+0];
- r->coeffs[2*i+0] |= (uint32_t)a[5*i+1] << 8;
- r->coeffs[2*i+0] |= (uint32_t)a[5*i+2] << 16;
- r->coeffs[2*i+0] &= 0xFFFFF;
-
- r->coeffs[2*i+1] = a[5*i+2] >> 4;
- r->coeffs[2*i+1] |= (uint32_t)a[5*i+3] << 4;
- r->coeffs[2*i+1] |= (uint32_t)a[5*i+4] << 12;
- r->coeffs[2*i+0] &= 0xFFFFF;
-
- r->coeffs[2*i+0] = GAMMA1 - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = GAMMA1 - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyw1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
-#if GAMMA2 == (Q-1)/88
- for(i = 0; i < N/4; ++i) {
- r[3*i+0] = a->coeffs[4*i+0];
- r[3*i+0] |= a->coeffs[4*i+1] << 6;
- r[3*i+1] = a->coeffs[4*i+1] >> 2;
- r[3*i+1] |= a->coeffs[4*i+2] << 4;
- r[3*i+2] = a->coeffs[4*i+2] >> 4;
- r[3*i+2] |= a->coeffs[4*i+3] << 2;
- }
-#elif GAMMA2 == (Q-1)/32
- for(i = 0; i < N/2; ++i)
- r[i] = a->coeffs[2*i+0] | (a->coeffs[2*i+1] << 4);
-#endif
-
- DBENCH_STOP(*tpack);
-}
+++ /dev/null
-#ifndef POLY_H
-#define POLY_H
-
-#include <stdint.h>
-#include "params.h"
-
-typedef struct {
- int32_t coeffs[N];
-} poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t *r, const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t *a);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t *r, const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t *a);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t *r, const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t *a);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t *r, const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
-
- for(i = 0; i < K; ++i)
- for(j = 0; j < L; ++j)
- poly_uniform(&mat[i].vec[j], rho, (i << 8) + j);
-}
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v)
-{
- unsigned int i;
- poly t;
-
- poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]);
- for(i = 1; i < L; ++i) {
- poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]);
- poly_add(w, w, &t);
- }
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_caddq(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_shiftl(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - polyveck *h: pointer to output vector
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1)
-{
- unsigned int i, s = 0;
-
- for(i = 0; i < K; ++i)
- s += poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
-
- return s;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
-}
-
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyw1_pack(&r[i*POLYW1_PACKEDBYTES], &w1->vec[i]);
-}
+++ /dev/null
-#ifndef POLYVEC_H
-#define POLYVEC_H
-
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery \
- DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "reduce.h"
-
-/*************************************************
-* Name: montgomery_reduce
-*
-* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
-* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
-*
-* Arguments: - int64_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t montgomery_reduce(int64_t a) {
- int32_t t;
-
- t = (int64_t)(int32_t)a*QINV;
- t = (a - (int64_t)t*Q) >> 32;
- return t;
-}
-
-/*************************************************
-* Name: reduce32
-*
-* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t reduce32(int32_t a) {
- int32_t t;
-
- t = (a + (1 << 22)) >> 23;
- t = a - t*Q;
- return t;
-}
-
-/*************************************************
-* Name: caddq
-*
-* Description: Add Q if input coefficient is negative.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t caddq(int32_t a) {
- a += (a >> 31) & Q;
- return a;
-}
-
-/*************************************************
-* Name: freeze
-*
-* Description: For finite field element a, compute standard
-* representative r = a mod^+ Q.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t freeze(int32_t a) {
- a = reduce32(a);
- a = caddq(a);
- return a;
-}
+++ /dev/null
-#ifndef REDUCE_H
-#define REDUCE_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define MONT -4186625 // 2^32 % Q
-#define QINV 58728449 // q^(-1) mod 2^32
-
-#define montgomery_reduce DILITHIUM_NAMESPACE(montgomery_reduce)
-int32_t montgomery_reduce(int64_t a);
-
-#define reduce32 DILITHIUM_NAMESPACE(reduce32)
-int32_t reduce32(int32_t a);
-
-#define caddq DILITHIUM_NAMESPACE(caddq)
-int32_t caddq(int32_t a);
-
-#define freeze DILITHIUM_NAMESPACE(freeze)
-int32_t freeze(int32_t a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "rounding.h"
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field element a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be standard representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t power2round(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + (1 << (D-1)) - 1) >> D;
- *a0 = a - (a1 << D);
- return a1;
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low bits a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard
-* representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t decompose(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + 127) >> 7;
-#if GAMMA2 == (Q-1)/32
- a1 = (a1*1025 + (1 << 21)) >> 22;
- a1 &= 15;
-#elif GAMMA2 == (Q-1)/88
- a1 = (a1*11275 + (1 << 23)) >> 24;
- a1 ^= ((43 - a1) >> 31) & a1;
-#endif
-
- *a0 = a - a1*2*GAMMA2;
- *a0 -= (((Q-1)/2 - *a0) >> 31) & Q;
- return a1;
-}
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute hint bit indicating whether the low bits of the
-* input element overflow into the high bits.
-*
-* Arguments: - int32_t a0: low bits of input element
-* - int32_t a1: high bits of input element
-*
-* Returns 1 if overflow.
-**************************************************/
-unsigned int make_hint(int32_t a0, int32_t a1) {
- if(a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high bits according to hint.
-*
-* Arguments: - int32_t a: input element
-* - unsigned int hint: hint bit
-*
-* Returns corrected high bits.
-**************************************************/
-int32_t use_hint(int32_t a, unsigned int hint) {
- int32_t a0, a1;
-
- a1 = decompose(&a0, a);
- if(hint == 0)
- return a1;
-
-#if GAMMA2 == (Q-1)/32
- if(a0 > 0)
- return (a1 + 1) & 15;
- else
- return (a1 - 1) & 15;
-#elif GAMMA2 == (Q-1)/88
- if(a0 > 0)
- return (a1 == 43) ? 0 : a1 + 1;
- else
- return (a1 == 0) ? 43 : a1 - 1;
-#endif
-}
+++ /dev/null
-#ifndef ROUNDING_H
-#define ROUNDING_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define power2round DILITHIUM_NAMESPACE(power2round)
-int32_t power2round(int32_t *a0, int32_t a);
-
-#define decompose DILITHIUM_NAMESPACE(decompose)
-int32_t decompose(int32_t *a0, int32_t a);
-
-#define make_hint DILITHIUM_NAMESPACE(make_hint)
-unsigned int make_hint(int32_t a0, int32_t a1);
-
-#define use_hint DILITHIUM_NAMESPACE(use_hint)
-int32_t use_hint(int32_t a, unsigned int hint);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "sign.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "randombytes.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
- const uint8_t *rho, *rhoprime, *key;
- polyvecl mat[K];
- polyvecl s1, s1hat;
- polyveck s2, t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Expand matrix */
- polyvec_matrix_expand(mat, rho);
-
- /* Sample short vectors s1 and s2 */
- polyvecl_uniform_eta(&s1, rhoprime, 0);
- polyveck_uniform_eta(&s2, rhoprime, L);
-
- /* Matrix-vector multiplication */
- s1hat = s1;
- polyvecl_ntt(&s1hat);
- polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat);
- polyveck_reduce(&t1);
- polyveck_invntt_tomont(&t1);
-
- /* Add error vector s2 */
- polyveck_add(&t1, &t1, &s2);
-
- /* Extract t1 and write public key */
- polyveck_caddq(&t1);
- polyveck_power2round(&t1, &t0, &t1);
- pack_pk(pk, rho, &t1);
-
- /* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
-{
- unsigned int n;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint16_t nonce = 0;
- polyvecl mat[K], s1, y, z;
- polyveck t0, s2, w1, w0, h;
- poly cp;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
-#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-#endif
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-rej:
- /* Sample intermediate vector y */
- polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
-
- /* Matrix-vector multiplication */
- z = y;
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&cp, sig);
- poly_ntt(&cp);
-
- /* Compute z, reject if it reveals secret */
- polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
- polyvecl_invntt_tomont(&z);
- polyvecl_add(&z, &z, &y);
- polyvecl_reduce(&z);
- if(polyvecl_chknorm(&z, GAMMA1 - BETA))
- goto rej;
-
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
- polyveck_invntt_tomont(&h);
- polyveck_sub(&w0, &w0, &h);
- polyveck_reduce(&w0);
- if(polyveck_chknorm(&w0, GAMMA2 - BETA))
- goto rej;
-
- /* Compute hints for w1 */
- polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
- polyveck_invntt_tomont(&h);
- polyveck_reduce(&h);
- if(polyveck_chknorm(&h, GAMMA2))
- goto rej;
-
- polyveck_add(&w0, &w0, &h);
- n = polyveck_make_hint(&h, &w0, &w1);
- if(n > OMEGA)
- goto rej;
-
- shake256_inc_ctx_release(&state);
-
- /* Write signature */
- pack_sig(sig, sig, &z, &h);
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
-{
- size_t i;
-
- for(i = 0; i < mlen; ++i)
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
- size_t siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pk)
-{
- unsigned int i;
- uint8_t buf[K*POLYW1_PACKEDBYTES];
- uint8_t rho[SEEDBYTES];
- uint8_t mu[CRHBYTES];
- uint8_t c[SEEDBYTES];
- uint8_t c2[SEEDBYTES];
- poly cp;
- polyvecl mat[K], z;
- polyveck t1, w1, h;
- shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-
- unpack_pk(rho, &t1, pk);
- if(unpack_sig(c, &z, &h, sig))
- return -1;
- if(polyvecl_chknorm(&z, GAMMA1 - BETA))
- return -1;
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
- /* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
- polyvec_matrix_expand(mat, rho);
-
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-
- poly_ntt(&cp);
- polyveck_shiftl(&t1);
- polyveck_ntt(&t1);
- polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
-
- polyveck_sub(&w1, &w1, &t1);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Reconstruct w1 */
- polyveck_caddq(&w1);
- polyveck_use_hint(&w1, &w1, &h);
- polyveck_pack_w1(buf, &w1);
-
- /* Call random oracle and verify challenge */
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(c2, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(c[i] != c2[i])
- return -1;
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m,
- size_t *mlen,
- const uint8_t *sm,
- size_t smlen,
- const uint8_t *pk)
-{
- size_t i;
-
- if(smlen < CRYPTO_BYTES)
- goto badsig;
-
- *mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
- goto badsig;
- else {
- /* All good, copy msg, return 0 */
- for(i = 0; i < *mlen; ++i)
- m[i] = sm[CRYPTO_BYTES + i];
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = -1;
- for(i = 0; i < smlen; ++i)
- m[i] = 0;
-
- return -1;
-}
+++ /dev/null
-#ifndef SIGN_H
-#define SIGN_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
+++ /dev/null
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-
-#include <stdint.h>
-#include "params.h"
-
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define dilithium_aes256ctr_init DILITHIUM_NAMESPACE(dilithium_aes256ctr_init)
-void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- const uint8_t key[32],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) \
- aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) \
- aes256_ctx_release(STATE)
-
-#else
-
-#include "fips202.h"
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-#endif
-
-#endif
+++ /dev/null
-Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
-or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
-
-For Keccak and the random number generator
-we are using public-domain code from sources
-and by authors listed in comments on top of
-the respective files.
+++ /dev/null
-#ifndef ALIGN_H
-#define ALIGN_H
-
-#include <stdint.h>
-#include <immintrin.h>
-
-#define ALIGNED_UINT8(N) \
- union { \
- uint8_t coeffs[N]; \
- __m256i vec[(N+31)/32]; \
- }
-
-#define ALIGNED_INT32(N) \
- union { \
- int32_t coeffs[N]; \
- __m256i vec[(N+7)/8]; \
- }
-
-#endif
+++ /dev/null
-#ifndef API_H
-#define API_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_avx2_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_avx2_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium2aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium2_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_SECRETKEYBYTES pqcrystals_dilithium2_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_avx2_BYTES pqcrystals_dilithium2_avx2_BYTES
-
-int pqcrystals_dilithium2aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
-
-#define pqcrystals_dilithium3_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_avx2_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_avx2_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium3_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_SECRETKEYBYTES pqcrystals_dilithium3_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_avx2_BYTES pqcrystals_dilithium3_avx2_BYTES
-
-int pqcrystals_dilithium3aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
-
-#define pqcrystals_dilithium5_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_avx2_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_avx2_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5aes_avx2_PUBLICKEYBYTES pqcrystals_dilithium5_avx2_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_SECRETKEYBYTES pqcrystals_dilithium5_avx2_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_avx2_BYTES pqcrystals_dilithium5_avx2_BYTES
-
-int pqcrystals_dilithium5aes_avx2_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_avx2_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_avx2_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_avx2_##s
-#endif
-#else
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_avx2_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_avx2_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_avx2
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_avx2_##s
-#endif
-#endif
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "consts.h"
-
-#define QINV 58728449 // q^(-1) mod 2^32
-#define MONT -4186625 // 2^32 mod q
-#define DIV 41978 // mont^2/256
-#define DIV_QINV -8395782
-
-const qdata_t qdata = {{
-#define _8XQ 0
- Q, Q, Q, Q, Q, Q, Q, Q,
-
-#define _8XQINV 8
- QINV, QINV, QINV, QINV, QINV, QINV, QINV, QINV,
-
-#define _8XDIV_QINV 16
- DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV, DIV_QINV,
-
-#define _8XDIV 24
- DIV, DIV, DIV, DIV, DIV, DIV, DIV, DIV,
-
-#define _ZETAS_QINV 32
- -151046689, 1830765815, -1929875198, -1927777021, 1640767044, 1477910808, 1612161320, 1640734244,
- 308362795, 308362795, 308362795, 308362795, -1815525077, -1815525077, -1815525077, -1815525077,
- -1374673747, -1374673747, -1374673747, -1374673747, -1091570561, -1091570561, -1091570561, -1091570561,
- -1929495947, -1929495947, -1929495947, -1929495947, 515185417, 515185417, 515185417, 515185417,
- -285697463, -285697463, -285697463, -285697463, 625853735, 625853735, 625853735, 625853735,
- 1727305304, 1727305304, 2082316400, 2082316400, -1364982364, -1364982364, 858240904, 858240904,
- 1806278032, 1806278032, 222489248, 222489248, -346752664, -346752664, 684667771, 684667771,
- 1654287830, 1654287830, -878576921, -878576921, -1257667337, -1257667337, -748618600, -748618600,
- 329347125, 329347125, 1837364258, 1837364258, -1443016191, -1443016191, -1170414139, -1170414139,
- -1846138265, -1631226336, -1404529459, 1838055109, 1594295555, -1076973524, -1898723372, -594436433,
- -202001019, -475984260, -561427818, 1797021249, -1061813248, 2059733581, -1661512036, -1104976547,
- -1750224323, -901666090, 418987550, 1831915353, -1925356481, 992097815, 879957084, 2024403852,
- 1484874664, -1636082790, -285388938, -1983539117, -1495136972, -950076368, -1714807468, -952438995,
- -1574918427, 1350681039, -2143979939, 1599739335, -1285853323, -993005454, -1440787840, 568627424,
- -783134478, -588790216, 289871779, -1262003603, 2135294594, -1018755525, -889861155, 1665705315,
- 1321868265, 1225434135, -1784632064, 666258756, 675310538, -1555941048, -1999506068, -1499481951,
- -695180180, -1375177022, 1777179795, 334803717, -178766299, -518252220, 1957047970, 1146323031,
- -654783359, -1974159335, 1651689966, 140455867, -1039411342, 1955560694, 1529189038, -2131021878,
- -247357819, 1518161567, -86965173, 1708872713, 1787797779, 1638590967, -120646188, -1669960606,
- -916321552, 1155548552, 2143745726, 1210558298, -1261461890, -318346816, 628664287, -1729304568,
- 1422575624, 1424130038, -1185330464, 235321234, 168022240, 1206536194, 985155484, -894060583,
- -898413, -1363460238, -605900043, 2027833504, 14253662, 1014493059, 863641633, 1819892093,
- 2124962073, -1223601433, -1920467227, -1637785316, -1536588520, 694382729, 235104446, -1045062172,
- 831969619, -300448763, 756955444, -260312805, 1554794072, 1339088280, -2040058690, -853476187,
- -2047270596, -1723816713, -1591599803, -440824168, 1119856484, 1544891539, 155290192, -973777462,
- 991903578, 912367099, -44694137, 1176904444, -421552614, -818371958, 1747917558, -325927722,
- 908452108, 1851023419, -1176751719, -1354528380, -72690498, -314284737, 985022747, 963438279,
- -1078959975, 604552167, -1021949428, 608791570, 173440395, -2126092136, -1316619236, -1039370342,
- 6087993, -110126092, 565464272, -1758099917, -1600929361, 879867909, -1809756372, 400711272,
- 1363007700, 30313375, -326425360, 1683520342, -517299994, 2027935492, -1372618620, 128353682,
- -1123881663, 137583815, -635454918, -642772911, 45766801, 671509323, -2070602178, 419615363,
- 1216882040, -270590488, -1276805128, 371462360, -1357098057, -384158533, 827959816, -596344473,
- 702390549, -279505433, -260424530, -71875110, -1208667171, -1499603926, 2036925262, -540420426,
- 746144248, -1420958686, 2032221021, 1904936414, 1257750362, 1926727420, 1931587462, 1258381762,
- 885133339, 1629985060, 1967222129, 6363718, -1287922800, 1136965286, 1779436847, 1116720494,
- 1042326957, 1405999311, 713994583, 940195359, -1542497137, 2061661095, -883155599, 1726753853,
- -1547952704, 394851342, 283780712, 776003547, 1123958025, 201262505, 1934038751, 374860238,
-
-#define _ZETAS 328
- -3975713, 25847, -2608894, -518909, 237124, -777960, -876248, 466468,
- 1826347, 1826347, 1826347, 1826347, 2353451, 2353451, 2353451, 2353451,
- -359251, -359251, -359251, -359251, -2091905, -2091905, -2091905, -2091905,
- 3119733, 3119733, 3119733, 3119733, -2884855, -2884855, -2884855, -2884855,
- 3111497, 3111497, 3111497, 3111497, 2680103, 2680103, 2680103, 2680103,
- 2725464, 2725464, 1024112, 1024112, -1079900, -1079900, 3585928, 3585928,
- -549488, -549488, -1119584, -1119584, 2619752, 2619752, -2108549, -2108549,
- -2118186, -2118186, -3859737, -3859737, -1399561, -1399561, -3277672, -3277672,
- 1757237, 1757237, -19422, -19422, 4010497, 4010497, 280005, 280005,
- 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439,
- -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299,
- -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596,
- 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779,
- -3930395, -3677745, -1452451, 2176455, -1257611, -4083598, -3190144, -3632928,
- 3412210, 2147896, -2967645, -411027, -671102, -22981, -381987, 1852771,
- -3343383, 508951, 44288, 904516, -3724342, 1653064, 2389356, 759969,
- 189548, 3159746, -2409325, 1315589, 1285669, -812732, -3019102, -3628969,
- -1528703, -3041255, 3475950, -1585221, 1939314, -1000202, -3157330, 126922,
- -983419, 2715295, -3693493, -2477047, -1228525, -1308169, 1349076, -1430430,
- 264944, 3097992, -1100098, 3958618, -8578, -3249728, -210977, -1316856,
- -3553272, -1851402, -177440, 1341330, -1584928, -1439742, -3881060, 3839961,
- 2091667, -3342478, 266997, -3520352, 900702, 495491, -655327, -3556995,
- 342297, 3437287, 2842341, 4055324, -3767016, -2994039, -1333058, -451100,
- -1279661, 1500165, -542412, -2584293, -2013608, 1957272, -3183426, 810149,
- -3038916, 2213111, -426683, -1667432, -2939036, 183443, -554416, 3937738,
- 3407706, 2244091, 2434439, -3759364, 1859098, -1613174, -3122442, -525098,
- 286988, -3342277, 2691481, 1247620, 1250494, 1869119, 1237275, 1312455,
- 1917081, 777191, -2831860, -3724270, 2432395, 3369112, 162844, 1652634,
- 3523897, -975884, 1723600, -1104333, -2235985, -976891, 3919660, 1400424,
- 2316500, -2446433, -1235728, -1197226, 909542, -43260, 2031748, -768622,
- -2437823, 1735879, -2590150, 2486353, 2635921, 1903435, -3318210, 3306115,
- -2546312, 2235880, -1671176, 594136, 2454455, 185531, 1616392, -3694233,
- 3866901, 1717735, -1803090, -260646, -420899, 1612842, -48306, -846154,
- 3817976, -3562462, 3513181, -3193378, 819034, -522500, 3207046, -3595838,
- 4108315, 203044, 1265009, 1595974, -3548272, -1050970, -1430225, -1962642,
- -1374803, 3406031, -1846953, -3776993, -164721, -1207385, 3014001, -1799107,
- 269760, 472078, 1910376, -3833893, -2286327, -3545687, -1362209, 1976782,
-}};
+++ /dev/null
-#ifndef CONSTS_H
-#define CONSTS_H
-
-#include "params.h"
-
-#define _8XQ 0
-#define _8XQINV 8
-#define _8XDIV_QINV 16
-#define _8XDIV 24
-#define _ZETAS_QINV 32
-#define _ZETAS 328
-
-/* The C ABI on MacOS exports all symbols with a leading
- * underscore. This means that any symbols we refer to from
- * C files (functions) can't be found, and all symbols we
- * refer to from ASM also can't be found.
- *
- * This define helps us get around this
- */
-#if defined(__WIN32__) || defined(__APPLE__)
-#define decorate(s) _##s
-#define _cdecl(s) decorate(s)
-#define cdecl(s) _cdecl(DILITHIUM_NAMESPACE(##s))
-#else
-#define cdecl(s) DILITHIUM_NAMESPACE(##s)
-#endif
-
-#ifndef __ASSEMBLER__
-
-#include "align.h"
-
-typedef ALIGNED_INT32(624) qdata_t;
-
-#define qdata DILITHIUM_NAMESPACE(qdata)
-extern const qdata_t qdata;
-
-#endif
-#endif
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2
-vpsubd %ymm\l,%ymm\h,%ymm12
-vpaddd %ymm\h,%ymm\l,%ymm\l
-
-vpmuldq %ymm\zl0,%ymm12,%ymm13
-vmovshdup %ymm12,%ymm\h
-vpmuldq %ymm\zl1,%ymm\h,%ymm14
-
-vpmuldq %ymm\zh0,%ymm12,%ymm12
-vpmuldq %ymm\zh1,%ymm\h,%ymm\h
-
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-
-vpsubd %ymm13,%ymm12,%ymm12
-vpsubd %ymm14,%ymm\h,%ymm\h
-
-vmovshdup %ymm12,%ymm12
-vpblendd $0xAA,%ymm\h,%ymm12,%ymm\h
-.endm
-
-.macro levels0t5 off
-vmovdqa 256*\off+ 0(%rdi),%ymm4
-vmovdqa 256*\off+ 32(%rdi),%ymm5
-vmovdqa 256*\off+ 64(%rdi),%ymm6
-vmovdqa 256*\off+ 96(%rdi),%ymm7
-vmovdqa 256*\off+128(%rdi),%ymm8
-vmovdqa 256*\off+160(%rdi),%ymm9
-vmovdqa 256*\off+192(%rdi),%ymm10
-vmovdqa 256*\off+224(%rdi),%ymm11
-
-/* level 0 */
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,5,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-40)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-40)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 6,7,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-72)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-72)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 8,9,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+296-8*\off-104)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+296-8*\off-104)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 10,11,1,3,2,15
-
-/* level 1 */
-vpermq $0x1B,(_ZETAS_QINV+168-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+168-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,6,1,3,2,15
-butterfly 5,7,1,3,2,15
-
-vpermq $0x1B,(_ZETAS_QINV+168-8*\off-40)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+168-8*\off-40)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 8,10,1,3,2,15
-butterfly 9,11,1,3,2,15
-
-/* level 2 */
-vpermq $0x1B,(_ZETAS_QINV+104-8*\off-8)*4(%rsi),%ymm3
-vpermq $0x1B,(_ZETAS+104-8*\off-8)*4(%rsi),%ymm15
-vmovshdup %ymm3,%ymm1
-vmovshdup %ymm15,%ymm2
-butterfly 4,8,1,3,2,15
-butterfly 5,9,1,3,2,15
-butterfly 6,10,1,3,2,15
-butterfly 7,11,1,3,2,15
-
-/* level 3 */
-shuffle2 4,5,3,5
-shuffle2 6,7,4,7
-shuffle2 8,9,6,9
-shuffle2 10,11,8,11
-
-vpermq $0x1B,(_ZETAS_QINV+72-8*\off-8)*4(%rsi),%ymm1
-vpermq $0x1B,(_ZETAS+72-8*\off-8)*4(%rsi),%ymm2
-butterfly 3,5
-butterfly 4,7
-butterfly 6,9
-butterfly 8,11
-
-/* level 4 */
-shuffle4 3,4,10,4
-shuffle4 6,8,3,8
-shuffle4 5,7,6,7
-shuffle4 9,11,5,11
-
-vpermq $0x1B,(_ZETAS_QINV+40-8*\off-8)*4(%rsi),%ymm1
-vpermq $0x1B,(_ZETAS+40-8*\off-8)*4(%rsi),%ymm2
-butterfly 10,4
-butterfly 3,8
-butterfly 6,7
-butterfly 5,11
-
-/* level 5 */
-shuffle8 10,3,9,3
-shuffle8 6,5,10,5
-shuffle8 4,8,6,8
-shuffle8 7,11,4,11
-
-vpbroadcastd (_ZETAS_QINV+7-\off)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+7-\off)*4(%rsi),%ymm2
-butterfly 9,3
-butterfly 10,5
-butterfly 6,8
-butterfly 4,11
-
-vmovdqa %ymm9,256*\off+ 0(%rdi)
-vmovdqa %ymm10,256*\off+ 32(%rdi)
-vmovdqa %ymm6,256*\off+ 64(%rdi)
-vmovdqa %ymm4,256*\off+ 96(%rdi)
-vmovdqa %ymm3,256*\off+128(%rdi)
-vmovdqa %ymm5,256*\off+160(%rdi)
-vmovdqa %ymm8,256*\off+192(%rdi)
-vmovdqa %ymm11,256*\off+224(%rdi)
-.endm
-
-.macro levels6t7 off
-vmovdqa 0+32*\off(%rdi),%ymm4
-vmovdqa 128+32*\off(%rdi),%ymm5
-vmovdqa 256+32*\off(%rdi),%ymm6
-vmovdqa 384+32*\off(%rdi),%ymm7
-vmovdqa 512+32*\off(%rdi),%ymm8
-vmovdqa 640+32*\off(%rdi),%ymm9
-vmovdqa 768+32*\off(%rdi),%ymm10
-vmovdqa 896+32*\off(%rdi),%ymm11
-
-/* level 6 */
-vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2
-butterfly 4,6
-butterfly 5,7
-
-vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2
-butterfly 8,10
-butterfly 9,11
-
-/* level 7 */
-vpbroadcastd (_ZETAS_QINV+0)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+0)*4(%rsi),%ymm2
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-vmovdqa %ymm8,512+32*\off(%rdi)
-vmovdqa %ymm9,640+32*\off(%rdi)
-vmovdqa %ymm10,768+32*\off(%rdi)
-vmovdqa %ymm11,896+32*\off(%rdi)
-
-vmovdqa (_8XDIV_QINV)*4(%rsi),%ymm1
-vmovdqa (_8XDIV)*4(%rsi),%ymm2
-vpmuldq %ymm1,%ymm4,%ymm12
-vpmuldq %ymm1,%ymm5,%ymm13
-vmovshdup %ymm4,%ymm8
-vmovshdup %ymm5,%ymm9
-vpmuldq %ymm1,%ymm8,%ymm14
-vpmuldq %ymm1,%ymm9,%ymm15
-vpmuldq %ymm2,%ymm4,%ymm4
-vpmuldq %ymm2,%ymm5,%ymm5
-vpmuldq %ymm2,%ymm8,%ymm8
-vpmuldq %ymm2,%ymm9,%ymm9
-vpmuldq %ymm0,%ymm12,%ymm12
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-vpmuldq %ymm0,%ymm15,%ymm15
-vpsubd %ymm12,%ymm4,%ymm4
-vpsubd %ymm13,%ymm5,%ymm5
-vpsubd %ymm14,%ymm8,%ymm8
-vpsubd %ymm15,%ymm9,%ymm9
-vmovshdup %ymm4,%ymm4
-vmovshdup %ymm5,%ymm5
-vpblendd $0xAA,%ymm8,%ymm4,%ymm4
-vpblendd $0xAA,%ymm9,%ymm5,%ymm5
-
-vpmuldq %ymm1,%ymm6,%ymm12
-vpmuldq %ymm1,%ymm7,%ymm13
-vmovshdup %ymm6,%ymm8
-vmovshdup %ymm7,%ymm9
-vpmuldq %ymm1,%ymm8,%ymm14
-vpmuldq %ymm1,%ymm9,%ymm15
-vpmuldq %ymm2,%ymm6,%ymm6
-vpmuldq %ymm2,%ymm7,%ymm7
-vpmuldq %ymm2,%ymm8,%ymm8
-vpmuldq %ymm2,%ymm9,%ymm9
-vpmuldq %ymm0,%ymm12,%ymm12
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-vpmuldq %ymm0,%ymm15,%ymm15
-vpsubd %ymm12,%ymm6,%ymm6
-vpsubd %ymm13,%ymm7,%ymm7
-vpsubd %ymm14,%ymm8,%ymm8
-vpsubd %ymm15,%ymm9,%ymm9
-vmovshdup %ymm6,%ymm6
-vmovshdup %ymm7,%ymm7
-vpblendd $0xAA,%ymm8,%ymm6,%ymm6
-vpblendd $0xAA,%ymm9,%ymm7,%ymm7
-
-vmovdqa %ymm4, 0+32*\off(%rdi)
-vmovdqa %ymm5,128+32*\off(%rdi)
-vmovdqa %ymm6,256+32*\off(%rdi)
-vmovdqa %ymm7,384+32*\off(%rdi)
-.endm
-
-.text
-.global cdecl(invntt_avx)
-cdecl(invntt_avx):
-vmovdqa _8XQ*4(%rsi),%ymm0
-
-levels0t5 0
-levels0t5 1
-levels0t5 2
-levels0t5 3
-
-levels6t7 0
-levels6t7 1
-levels6t7 2
-levels6t7 3
-
-ret
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.macro butterfly l,h,zl0=1,zl1=1,zh0=2,zh1=2
-vpmuldq %ymm\zl0,%ymm\h,%ymm13
-vmovshdup %ymm\h,%ymm12
-vpmuldq %ymm\zl1,%ymm12,%ymm14
-
-vpmuldq %ymm\zh0,%ymm\h,%ymm\h
-vpmuldq %ymm\zh1,%ymm12,%ymm12
-
-vpmuldq %ymm0,%ymm13,%ymm13
-vpmuldq %ymm0,%ymm14,%ymm14
-
-vmovshdup %ymm\h,%ymm\h
-vpblendd $0xAA,%ymm12,%ymm\h,%ymm\h
-
-vpsubd %ymm\h,%ymm\l,%ymm12
-vpaddd %ymm\h,%ymm\l,%ymm\l
-
-vmovshdup %ymm13,%ymm13
-vpblendd $0xAA,%ymm14,%ymm13,%ymm13
-
-vpaddd %ymm13,%ymm12,%ymm\h
-vpsubd %ymm13,%ymm\l,%ymm\l
-.endm
-
-.macro levels0t1 off
-/* level 0 */
-vpbroadcastd (_ZETAS_QINV+1)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+1)*4(%rsi),%ymm2
-
-vmovdqa 0+32*\off(%rdi),%ymm4
-vmovdqa 128+32*\off(%rdi),%ymm5
-vmovdqa 256+32*\off(%rdi),%ymm6
-vmovdqa 384+32*\off(%rdi),%ymm7
-vmovdqa 512+32*\off(%rdi),%ymm8
-vmovdqa 640+32*\off(%rdi),%ymm9
-vmovdqa 768+32*\off(%rdi),%ymm10
-vmovdqa 896+32*\off(%rdi),%ymm11
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-/* level 1 */
-vpbroadcastd (_ZETAS_QINV+2)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+2)*4(%rsi),%ymm2
-butterfly 4,6
-butterfly 5,7
-
-vpbroadcastd (_ZETAS_QINV+3)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+3)*4(%rsi),%ymm2
-butterfly 8,10
-butterfly 9,11
-
-vmovdqa %ymm4, 0+32*\off(%rdi)
-vmovdqa %ymm5,128+32*\off(%rdi)
-vmovdqa %ymm6,256+32*\off(%rdi)
-vmovdqa %ymm7,384+32*\off(%rdi)
-vmovdqa %ymm8,512+32*\off(%rdi)
-vmovdqa %ymm9,640+32*\off(%rdi)
-vmovdqa %ymm10,768+32*\off(%rdi)
-vmovdqa %ymm11,896+32*\off(%rdi)
-.endm
-
-.macro levels2t7 off
-/* level 2 */
-vmovdqa 256*\off+ 0(%rdi),%ymm4
-vmovdqa 256*\off+ 32(%rdi),%ymm5
-vmovdqa 256*\off+ 64(%rdi),%ymm6
-vmovdqa 256*\off+ 96(%rdi),%ymm7
-vmovdqa 256*\off+128(%rdi),%ymm8
-vmovdqa 256*\off+160(%rdi),%ymm9
-vmovdqa 256*\off+192(%rdi),%ymm10
-vmovdqa 256*\off+224(%rdi),%ymm11
-
-vpbroadcastd (_ZETAS_QINV+4+\off)*4(%rsi),%ymm1
-vpbroadcastd (_ZETAS+4+\off)*4(%rsi),%ymm2
-
-butterfly 4,8
-butterfly 5,9
-butterfly 6,10
-butterfly 7,11
-
-shuffle8 4,8,3,8
-shuffle8 5,9,4,9
-shuffle8 6,10,5,10
-shuffle8 7,11,6,11
-
-/* level 3 */
-vmovdqa (_ZETAS_QINV+8+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+8+8*\off)*4(%rsi),%ymm2
-
-butterfly 3,5
-butterfly 8,10
-butterfly 4,6
-butterfly 9,11
-
-shuffle4 3,5,7,5
-shuffle4 8,10,3,10
-shuffle4 4,6,8,6
-shuffle4 9,11,4,11
-
-/* level 4 */
-vmovdqa (_ZETAS_QINV+40+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+40+8*\off)*4(%rsi),%ymm2
-
-butterfly 7,8
-butterfly 5,6
-butterfly 3,4
-butterfly 10,11
-
-shuffle2 7,8,9,8
-shuffle2 5,6,7,6
-shuffle2 3,4,5,4
-shuffle2 10,11,3,11
-
-/* level 5 */
-vmovdqa (_ZETAS_QINV+72+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+72+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-
-butterfly 9,5,1,10,2,15
-butterfly 8,4,1,10,2,15
-butterfly 7,3,1,10,2,15
-butterfly 6,11,1,10,2,15
-
-/* level 6 */
-vmovdqa (_ZETAS_QINV+104+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+104+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 9,7,1,10,2,15
-butterfly 8,6,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+104+8*\off+32)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+104+8*\off+32)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 5,3,1,10,2,15
-butterfly 4,11,1,10,2,15
-
-/* level 7 */
-vmovdqa (_ZETAS_QINV+168+8*\off)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 9,8,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+32)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+32)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 7,6,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+64)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+64)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 5,4,1,10,2,15
-
-vmovdqa (_ZETAS_QINV+168+8*\off+96)*4(%rsi),%ymm1
-vmovdqa (_ZETAS+168+8*\off+96)*4(%rsi),%ymm2
-vpsrlq $32,%ymm1,%ymm10
-vmovshdup %ymm2,%ymm15
-butterfly 3,11,1,10,2,15
-
-vmovdqa %ymm9,256*\off+ 0(%rdi)
-vmovdqa %ymm8,256*\off+ 32(%rdi)
-vmovdqa %ymm7,256*\off+ 64(%rdi)
-vmovdqa %ymm6,256*\off+ 96(%rdi)
-vmovdqa %ymm5,256*\off+128(%rdi)
-vmovdqa %ymm4,256*\off+160(%rdi)
-vmovdqa %ymm3,256*\off+192(%rdi)
-vmovdqa %ymm11,256*\off+224(%rdi)
-.endm
-
-.text
-.global cdecl(ntt_avx)
-cdecl(ntt_avx):
-vmovdqa _8XQ*4(%rsi),%ymm0
-
-levels0t1 0
-levels0t1 1
-levels0t1 2
-levels0t1 3
-
-levels2t7 0
-levels2t7 1
-levels2t7 2
-levels2t7 3
-
-ret
-
+++ /dev/null
-#ifndef NTT_H
-#define NTT_H
-
-#include <immintrin.h>
-
-#define ntt_avx DILITHIUM_NAMESPACE(ntt_avx)
-void ntt_avx(__m256i *a, const __m256i *qdata);
-#define invntt_avx DILITHIUM_NAMESPACE(invntt_avx)
-void invntt_avx(__m256i *a, const __m256i *qdata);
-
-#define nttunpack_avx DILITHIUM_NAMESPACE(nttunpack_avx)
-void nttunpack_avx(__m256i *a);
-
-#define pointwise_avx DILITHIUM_NAMESPACE(pointwise_avx)
-void pointwise_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *qdata);
-#define pointwise_acc_avx DILITHIUM_NAMESPACE(pointwise_acc_avx)
-void pointwise_acc_avx(__m256i *c, const __m256i *a, const __m256i *b, const __m256i *qdata);
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- pk[i] = rho[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = pk[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = rho[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = key[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = tr[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s2->vec[i]);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt0_pack(sk + i*POLYT0_PACKEDBYTES, &t0->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- key[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- tr[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i=0; i < L; ++i)
- polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyeta_unpack(&s2->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyt0_unpack(&t0->vec[i], sk + i*POLYT0_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h)
-{
- unsigned int i, j, k;
-
- for(i=0; i < SEEDBYTES; ++i)
- sig[i] = c[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for(i = 0; i < OMEGA + K; ++i)
- sig[i] = 0;
-
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- if(h->vec[i].coeffs[j] != 0)
- sig[k++] = j;
-
- sig[OMEGA + i] = k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES])
-{
- unsigned int i, j, k;
-
- for(i = 0; i < SEEDBYTES; ++i)
- c[i] = sig[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- h->vec[i].coeffs[j] = 0;
-
- if(sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA)
- return 1;
-
- for(j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > k && sig[j] <= sig[j-1]) return 1;
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for(j = k; j < OMEGA; ++j)
- if(sig[j])
- return 1;
-
- return 0;
-}
+++ /dev/null
-#ifndef PACKING_H
-#define PACKING_H
-
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-#ifndef PARAMS_H
-#define PARAMS_H
-
-#include "config.h"
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-#if DILITHIUM_MODE == 2
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((Q-1)/88)
-#define OMEGA 80
-
-#elif DILITHIUM_MODE == 3
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 55
-
-#elif DILITHIUM_MODE == 5
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 75
-
-#endif
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#if ETA == 2
-#define POLYETA_PACKEDBYTES 96
-#elif ETA == 4
-#define POLYETA_PACKEDBYTES 128
-#endif
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "consts.h"
-
-.text
-.global cdecl(pointwise_avx)
-cdecl(pointwise_avx):
-#consts
-vmovdqa _8XQINV*4(%rcx),%ymm0
-vmovdqa _8XQ*4(%rcx),%ymm1
-
-xor %eax,%eax
-_looptop1:
-#load
-vmovdqa (%rsi),%ymm2
-vmovdqa 32(%rsi),%ymm4
-vmovdqa 64(%rsi),%ymm6
-vmovdqa (%rdx),%ymm10
-vmovdqa 32(%rdx),%ymm12
-vmovdqa 64(%rdx),%ymm14
-vpsrlq $32,%ymm2,%ymm3
-vpsrlq $32,%ymm4,%ymm5
-vmovshdup %ymm6,%ymm7
-vpsrlq $32,%ymm10,%ymm11
-vpsrlq $32,%ymm12,%ymm13
-vmovshdup %ymm14,%ymm15
-
-#mul
-vpmuldq %ymm2,%ymm10,%ymm2
-vpmuldq %ymm3,%ymm11,%ymm3
-vpmuldq %ymm4,%ymm12,%ymm4
-vpmuldq %ymm5,%ymm13,%ymm5
-vpmuldq %ymm6,%ymm14,%ymm6
-vpmuldq %ymm7,%ymm15,%ymm7
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm10
-vpmuldq %ymm0,%ymm3,%ymm11
-vpmuldq %ymm0,%ymm4,%ymm12
-vpmuldq %ymm0,%ymm5,%ymm13
-vpmuldq %ymm0,%ymm6,%ymm14
-vpmuldq %ymm0,%ymm7,%ymm15
-vpmuldq %ymm1,%ymm10,%ymm10
-vpmuldq %ymm1,%ymm11,%ymm11
-vpmuldq %ymm1,%ymm12,%ymm12
-vpmuldq %ymm1,%ymm13,%ymm13
-vpmuldq %ymm1,%ymm14,%ymm14
-vpmuldq %ymm1,%ymm15,%ymm15
-vpsubq %ymm10,%ymm2,%ymm2
-vpsubq %ymm11,%ymm3,%ymm3
-vpsubq %ymm12,%ymm4,%ymm4
-vpsubq %ymm13,%ymm5,%ymm5
-vpsubq %ymm14,%ymm6,%ymm6
-vpsubq %ymm15,%ymm7,%ymm7
-vpsrlq $32,%ymm2,%ymm2
-vpsrlq $32,%ymm4,%ymm4
-vmovshdup %ymm6,%ymm6
-
-#store
-vpblendd $0xAA,%ymm3,%ymm2,%ymm2
-vpblendd $0xAA,%ymm5,%ymm4,%ymm4
-vpblendd $0xAA,%ymm7,%ymm6,%ymm6
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-vmovdqa %ymm6,64(%rdi)
-
-add $96,%rdi
-add $96,%rsi
-add $96,%rdx
-add $1,%eax
-cmp $10,%eax
-jb _looptop1
-
-vmovdqa (%rsi),%ymm2
-vmovdqa 32(%rsi),%ymm4
-vmovdqa (%rdx),%ymm10
-vmovdqa 32(%rdx),%ymm12
-vpsrlq $32,%ymm2,%ymm3
-vpsrlq $32,%ymm4,%ymm5
-vmovshdup %ymm10,%ymm11
-vmovshdup %ymm12,%ymm13
-
-#mul
-vpmuldq %ymm2,%ymm10,%ymm2
-vpmuldq %ymm3,%ymm11,%ymm3
-vpmuldq %ymm4,%ymm12,%ymm4
-vpmuldq %ymm5,%ymm13,%ymm5
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm10
-vpmuldq %ymm0,%ymm3,%ymm11
-vpmuldq %ymm0,%ymm4,%ymm12
-vpmuldq %ymm0,%ymm5,%ymm13
-vpmuldq %ymm1,%ymm10,%ymm10
-vpmuldq %ymm1,%ymm11,%ymm11
-vpmuldq %ymm1,%ymm12,%ymm12
-vpmuldq %ymm1,%ymm13,%ymm13
-vpsubq %ymm10,%ymm2,%ymm2
-vpsubq %ymm11,%ymm3,%ymm3
-vpsubq %ymm12,%ymm4,%ymm4
-vpsubq %ymm13,%ymm5,%ymm5
-vpsrlq $32,%ymm2,%ymm2
-vmovshdup %ymm4,%ymm4
-
-#store
-vpblendd $0x55,%ymm2,%ymm3,%ymm2
-vpblendd $0x55,%ymm4,%ymm5,%ymm4
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-
-ret
-
-.macro pointwise off
-#load
-vmovdqa \off(%rsi),%ymm6
-vmovdqa \off+32(%rsi),%ymm8
-vmovdqa \off(%rdx),%ymm10
-vmovdqa \off+32(%rdx),%ymm12
-vpsrlq $32,%ymm6,%ymm7
-vpsrlq $32,%ymm8,%ymm9
-vmovshdup %ymm10,%ymm11
-vmovshdup %ymm12,%ymm13
-
-#mul
-vpmuldq %ymm6,%ymm10,%ymm6
-vpmuldq %ymm7,%ymm11,%ymm7
-vpmuldq %ymm8,%ymm12,%ymm8
-vpmuldq %ymm9,%ymm13,%ymm9
-.endm
-
-.macro acc
-vpaddq %ymm6,%ymm2,%ymm2
-vpaddq %ymm7,%ymm3,%ymm3
-vpaddq %ymm8,%ymm4,%ymm4
-vpaddq %ymm9,%ymm5,%ymm5
-.endm
-
-.global cdecl(pointwise_acc_avx)
-cdecl(pointwise_acc_avx):
-#consts
-vmovdqa _8XQINV*4(%rcx),%ymm0
-vmovdqa _8XQ*4(%rcx),%ymm1
-
-xor %eax,%eax
-_looptop2:
-pointwise 0
-
-#mov
-vmovdqa %ymm6,%ymm2
-vmovdqa %ymm7,%ymm3
-vmovdqa %ymm8,%ymm4
-vmovdqa %ymm9,%ymm5
-
-pointwise 1024
-acc
-
-#if L >= 3
-pointwise 2048
-acc
-#endif
-
-#if L >= 4
-pointwise 3072
-acc
-#endif
-
-#if L >= 5
-pointwise 4096
-acc
-#endif
-
-#if L >= 6
-pointwise 5120
-acc
-#endif
-
-#if L >= 7
-pointwise 6144
-acc
-#endif
-
-#reduce
-vpmuldq %ymm0,%ymm2,%ymm6
-vpmuldq %ymm0,%ymm3,%ymm7
-vpmuldq %ymm0,%ymm4,%ymm8
-vpmuldq %ymm0,%ymm5,%ymm9
-vpmuldq %ymm1,%ymm6,%ymm6
-vpmuldq %ymm1,%ymm7,%ymm7
-vpmuldq %ymm1,%ymm8,%ymm8
-vpmuldq %ymm1,%ymm9,%ymm9
-vpsubq %ymm6,%ymm2,%ymm2
-vpsubq %ymm7,%ymm3,%ymm3
-vpsubq %ymm8,%ymm4,%ymm4
-vpsubq %ymm9,%ymm5,%ymm5
-vpsrlq $32,%ymm2,%ymm2
-vmovshdup %ymm4,%ymm4
-
-#store
-vpblendd $0xAA,%ymm3,%ymm2,%ymm2
-vpblendd $0xAA,%ymm5,%ymm4,%ymm4
-
-vmovdqa %ymm2,(%rdi)
-vmovdqa %ymm4,32(%rdi)
-
-add $64,%rsi
-add $64,%rdx
-add $64,%rdi
-add $1,%eax
-cmp $16,%eax
-jb _looptop2
-
-ret
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include <string.h>
-#include "align.h"
-#include "params.h"
-#include "poly.h"
-#include "ntt.h"
-#include "rounding.h"
-#include "rejsample.h"
-#include "consts.h"
-#include "symmetric.h"
-#ifndef DILITHIUM_USE_AES
-#include "fips202x4.h"
-#endif
-
-#ifdef DBENCH
-#include "test/cpucycles.h"
-extern const uint64_t timing_overhead;
-extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
-#define DBENCH_START() uint64_t time = cpucycles()
-#define DBENCH_STOP(t) t += cpucycles() - time - timing_overhead
-#else
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-#endif
-
-#define _mm256_blendv_epi32(a,b,mask) \
- _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \
- _mm256_castsi256_ps(b), \
- _mm256_castsi256_ps(mask)))
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007]. Assumes input
-* coefficients to be at most 2^31 - 2^22 - 1 in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_reduce(poly *a) {
- unsigned int i;
- __m256i f,g;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i off = _mm256_set1_epi32(1<<22);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_add_epi32(f,off);
- g = _mm256_srai_epi32(g,23);
- g = _mm256_mullo_epi32(g,q);
- f = _mm256_sub_epi32(f,g);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_addq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_caddq(poly *a) {
- unsigned int i;
- __m256i f,g;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i zero = _mm256_setzero_si256();
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_blendv_epi32(zero,q,f);
- f = _mm256_add_epi32(f,g);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- __m256i f,g;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_load_si256(&b->vec[i]);
- f = _mm256_add_epi32(f,g);
- _mm256_store_si256(&c->vec[i],f);
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- __m256i f,g;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- g = _mm256_load_si256(&b->vec[i]);
- f = _mm256_sub_epi32(f,g);
- _mm256_store_si256(&c->vec[i],f);
- }
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- __m256i f;
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- f = _mm256_slli_epi32(f,D);
- _mm256_store_si256(&a->vec[i],f);
- }
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by up to
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt_avx(a->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_avx(a->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-void poly_nttunpack(poly *a) {
- DBENCH_START();
-
- nttunpack_avx(a->vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- DBENCH_START();
-
- pointwise_avx(c->vec, a->vec, b->vec, qdata.vec);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod^+ Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* positive standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_power2round(poly *a1, poly *a0, const poly *a)
-{
- DBENCH_START();
-
- power2round_avx(a1->vec, a0->vec, a->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod^+ Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except if c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be positive standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a)
-{
- DBENCH_START();
-
- decompose_avx(a1->vec, a0->vec, a->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint array. The coefficients of which are the
-* indices of the coefficients of the input polynomial
-* whose low bits overflow into the high bits.
-*
-* Arguments: - uint8_t *h: pointer to output hint array (preallocated of length N)
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of hints, i.e. length of hint array.
-**************************************************/
-unsigned int poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1)
-{
- unsigned int r;
- DBENCH_START();
-
- r = make_hint_avx(hint, a0->vec, a1->vec);
-
- DBENCH_STOP(*tround);
- return r;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h)
-{
- DBENCH_START();
-
- use_hint_avx(b->vec, a->vec, h->vec);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input polynomial to be reduced by poly_reduce().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int r;
- __m256i f,t;
- const __m256i bound = _mm256_set1_epi32(B-1);
- DBENCH_START();
-
- if(B > (Q-1)/8)
- return 1;
-
- t = _mm256_setzero_si256();
- for(i = 0; i < N/8; i++) {
- f = _mm256_load_si256(&a->vec[i]);
- f = _mm256_abs_epi32(f);
- f = _mm256_cmpgt_epi32(f,bound);
- t = _mm256_or_si256(t,f);
- }
-
- r = 1 - _mm256_testz_si256(t,t);
- DBENCH_STOP(*tsample);
- return r;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- a[ctr++] = t;
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-void poly_uniform_preinit(poly *a, stream128_state *state)
-{
- unsigned int ctr;
- /* rej_uniform_avx reads up to 8 additional bytes */
- ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf;
-
- stream128_squeezeblocks(buf.coeffs, REJ_UNIFORM_NBLOCKS, state);
- ctr = rej_uniform_avx(a->coeffs, buf.coeffs);
-
- while(ctr < N) {
- /* length of buf is always divisible by 3; hence, no bytes left */
- stream128_squeezeblocks(buf.coeffs, 1, state);
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM128_BLOCKBYTES);
- }
-}
-
-void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- stream128_state state;
- stream128_init(&state, seed, nonce);
- poly_uniform_preinit(a, &state);
- stream128_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[32],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- unsigned int ctr0, ctr1, ctr2, ctr3;
- ALIGNED_UINT8(REJ_UNIFORM_BUFLEN+8) buf[4];
- shake128x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)seed);
- _mm256_store_si256(buf[0].vec,f);
- _mm256_store_si256(buf[1].vec,f);
- _mm256_store_si256(buf[2].vec,f);
- _mm256_store_si256(buf[3].vec,f);
-
- buf[0].coeffs[SEEDBYTES+0] = nonce0;
- buf[0].coeffs[SEEDBYTES+1] = nonce0 >> 8;
- buf[1].coeffs[SEEDBYTES+0] = nonce1;
- buf[1].coeffs[SEEDBYTES+1] = nonce1 >> 8;
- buf[2].coeffs[SEEDBYTES+0] = nonce2;
- buf[2].coeffs[SEEDBYTES+1] = nonce2 >> 8;
- buf[3].coeffs[SEEDBYTES+0] = nonce3;
- buf[3].coeffs[SEEDBYTES+1] = nonce3 >> 8;
-
- shake128x4_inc_init(&state);
- shake128x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, SEEDBYTES + 2);
- shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_NBLOCKS, &state);
-
- ctr0 = rej_uniform_avx(a0->coeffs, buf[0].coeffs);
- ctr1 = rej_uniform_avx(a1->coeffs, buf[1].coeffs);
- ctr2 = rej_uniform_avx(a2->coeffs, buf[2].coeffs);
- ctr3 = rej_uniform_avx(a3->coeffs, buf[3].coeffs);
-
- while(ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
- shake128x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
-
- ctr0 += rej_uniform(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE128_RATE);
- ctr1 += rej_uniform(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE128_RATE);
- ctr2 += rej_uniform(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE128_RATE);
- ctr3 += rej_uniform(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE128_RATE);
- }
- shake128x4_inc_ctx_release(&state);
-}
-#endif
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-#if ETA == 2
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- a[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < len) {
- t1 = t1 - (205*t1 >> 10)*5;
- a[ctr++] = 2 - t1;
- }
-#elif ETA == 4
- if(t0 < 9)
- a[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < len)
- a[ctr++] = 4 - t1;
-#endif
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling using the
-* output stream of SHAKE256(seed|nonce)
-* or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-void poly_uniform_eta_preinit(poly *a, stream256_state *state)
-{
- unsigned int ctr;
- ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf;
-
- stream256_squeezeblocks(buf.coeffs, REJ_UNIFORM_ETA_NBLOCKS, state);
- ctr = rej_eta_avx(a->coeffs, buf.coeffs);
-
- while(ctr < N) {
- stream256_squeezeblocks(buf.coeffs, 1, state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf.coeffs, STREAM256_BLOCKBYTES);
- }
-}
-
-void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_eta_preinit(a, &state);
- stream256_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_eta_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[64],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- unsigned int ctr0, ctr1, ctr2, ctr3;
- ALIGNED_UINT8(REJ_UNIFORM_ETA_BUFLEN) buf[4];
-
- __m256i f;
- shake256x4incctx state;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
- _mm256_store_si256(&buf[0].vec[0],f);
- _mm256_store_si256(&buf[1].vec[0],f);
- _mm256_store_si256(&buf[2].vec[0],f);
- _mm256_store_si256(&buf[3].vec[0],f);
- f = _mm256_loadu_si256((__m256i *)&seed[32]);
- _mm256_store_si256(&buf[0].vec[1],f);
- _mm256_store_si256(&buf[1].vec[1],f);
- _mm256_store_si256(&buf[2].vec[1],f);
- _mm256_store_si256(&buf[3].vec[1],f);
-
- buf[0].coeffs[64] = nonce0;
- buf[0].coeffs[65] = nonce0 >> 8;
- buf[1].coeffs[64] = nonce1;
- buf[1].coeffs[65] = nonce1 >> 8;
- buf[2].coeffs[64] = nonce2;
- buf[2].coeffs[65] = nonce2 >> 8;
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
- shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, REJ_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr0 = rej_eta_avx(a0->coeffs, buf[0].coeffs);
- ctr1 = rej_eta_avx(a1->coeffs, buf[1].coeffs);
- ctr2 = rej_eta_avx(a2->coeffs, buf[2].coeffs);
- ctr3 = rej_eta_avx(a3->coeffs, buf[3].coeffs);
-
- while(ctr0 < N || ctr1 < N || ctr2 < N || ctr3 < N) {
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 1, &state);
-
- ctr0 += rej_eta(a0->coeffs + ctr0, N - ctr0, buf[0].coeffs, SHAKE256_RATE);
- ctr1 += rej_eta(a1->coeffs + ctr1, N - ctr1, buf[1].coeffs, SHAKE256_RATE);
- ctr2 += rej_eta(a2->coeffs + ctr2, N - ctr2, buf[2].coeffs, SHAKE256_RATE);
- ctr3 += rej_eta(a3->coeffs + ctr3, N - ctr3, buf[3].coeffs, SHAKE256_RATE);
- }
- shake256x4_inc_ctx_release(&state);
-}
-#endif
-
-/*************************************************
-* Name: poly_uniform_gamma1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1_preinit(poly *a, stream256_state *state)
-{
- /* polyz_unpack reads 14 additional bytes */
- ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf;
- stream256_squeezeblocks(buf.coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, state);
- polyz_unpack(a, buf.coeffs);
-}
-
-void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- stream256_state state;
- stream256_init(&state, seed, nonce);
- poly_uniform_gamma1_preinit(a, &state);
- stream256_release(&state);
-}
-
-#ifndef DILITHIUM_USE_AES
-void poly_uniform_gamma1_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[64],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3)
-{
- ALIGNED_UINT8(POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES+14) buf[4];
- shake256x4incctx state;
- __m256i f;
-
- f = _mm256_loadu_si256((__m256i *)&seed[0]);
- _mm256_store_si256(&buf[0].vec[0],f);
- _mm256_store_si256(&buf[1].vec[0],f);
- _mm256_store_si256(&buf[2].vec[0],f);
- _mm256_store_si256(&buf[3].vec[0],f);
- f = _mm256_loadu_si256((__m256i *)&seed[32]);
- _mm256_store_si256(&buf[0].vec[1],f);
- _mm256_store_si256(&buf[1].vec[1],f);
- _mm256_store_si256(&buf[2].vec[1],f);
- _mm256_store_si256(&buf[3].vec[1],f);
-
- buf[0].coeffs[64] = nonce0;
- buf[0].coeffs[65] = nonce0 >> 8;
- buf[1].coeffs[64] = nonce1;
- buf[1].coeffs[65] = nonce1 >> 8;
- buf[2].coeffs[64] = nonce2;
- buf[2].coeffs[65] = nonce2 >> 8;
- buf[3].coeffs[64] = nonce3;
- buf[3].coeffs[65] = nonce3 >> 8;
-
- shake256x4_inc_init(&state);
- shake256x4_absorb_once(&state, buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, 66);
- shake256x4_squeezeblocks(buf[0].coeffs, buf[1].coeffs, buf[2].coeffs, buf[3].coeffs, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- shake256x4_inc_ctx_release(&state);
-
- polyz_unpack(a0, buf[0].coeffs);
- polyz_unpack(a1, buf[1].coeffs);
- polyz_unpack(a2, buf[2].coeffs);
- polyz_unpack(a3, buf[3].coeffs);
-}
-#endif
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly * restrict c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- ALIGNED_UINT8(SHAKE256_RATE) buf;
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SHAKE256_RATE, &state);
-
- memcpy(&signs, buf.coeffs, 8);
- pos = 8;
-
- memset(c->vec, 0, sizeof(poly));
- for(i = N-TAU; i < N; ++i) {
- do {
- if(pos >= SHAKE256_RATE) {
- shake256_squeezeblocks(buf.coeffs, 1, &state);
- pos = 0;
- }
-
- b = buf.coeffs[pos++];
- } while(b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- t[0] = ETA - a->coeffs[8*i+0];
- t[1] = ETA - a->coeffs[8*i+1];
- t[2] = ETA - a->coeffs[8*i+2];
- t[3] = ETA - a->coeffs[8*i+3];
- t[4] = ETA - a->coeffs[8*i+4];
- t[5] = ETA - a->coeffs[8*i+5];
- t[6] = ETA - a->coeffs[8*i+6];
- t[7] = ETA - a->coeffs[8*i+7];
-
- r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- t[0] = ETA - a->coeffs[2*i+0];
- t[1] = ETA - a->coeffs[2*i+1];
- r[i] = t[0] | (t[1] << 4);
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly * restrict r, const uint8_t a[POLYETA_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7;
- r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7;
- r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7;
- r->coeffs[8*i+3] = (a[3*i+1] >> 1) & 7;
- r->coeffs[8*i+4] = (a[3*i+1] >> 4) & 7;
- r->coeffs[8*i+5] = ((a[3*i+1] >> 7) | (a[3*i+2] << 1)) & 7;
- r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7;
- r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7;
-
- r->coeffs[8*i+0] = ETA - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = ETA - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = ETA - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = ETA - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = ETA - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = ETA - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = ETA - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = ETA - r->coeffs[8*i+7];
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[i] & 0x0F;
- r->coeffs[2*i+1] = a[i] >> 4;
- r->coeffs[2*i+0] = ETA - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = ETA - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be positive standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r[5*i+0] = (a->coeffs[4*i+0] >> 0);
- r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2);
- r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4);
- r[5*i+3] = (a->coeffs[4*i+2] >> 4) | (a->coeffs[4*i+3] << 6);
- r[5*i+4] = (a->coeffs[4*i+3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are positive standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt1_unpack(poly * restrict r, const uint8_t a[POLYT1_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF;
- r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF;
- r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF;
- r->coeffs[4*i+3] = ((a[5*i+3] >> 6) | ((uint32_t)a[5*i+4] << 2)) & 0x3FF;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- t[0] = (1 << (D-1)) - a->coeffs[8*i+0];
- t[1] = (1 << (D-1)) - a->coeffs[8*i+1];
- t[2] = (1 << (D-1)) - a->coeffs[8*i+2];
- t[3] = (1 << (D-1)) - a->coeffs[8*i+3];
- t[4] = (1 << (D-1)) - a->coeffs[8*i+4];
- t[5] = (1 << (D-1)) - a->coeffs[8*i+5];
- t[6] = (1 << (D-1)) - a->coeffs[8*i+6];
- t[7] = (1 << (D-1)) - a->coeffs[8*i+7];
-
- r[13*i+ 0] = t[0];
- r[13*i+ 1] = t[0] >> 8;
- r[13*i+ 1] |= t[1] << 5;
- r[13*i+ 2] = t[1] >> 3;
- r[13*i+ 3] = t[1] >> 11;
- r[13*i+ 3] |= t[2] << 2;
- r[13*i+ 4] = t[2] >> 6;
- r[13*i+ 4] |= t[3] << 7;
- r[13*i+ 5] = t[3] >> 1;
- r[13*i+ 6] = t[3] >> 9;
- r[13*i+ 6] |= t[4] << 4;
- r[13*i+ 7] = t[4] >> 4;
- r[13*i+ 8] = t[4] >> 12;
- r[13*i+ 8] |= t[5] << 1;
- r[13*i+ 9] = t[5] >> 7;
- r[13*i+ 9] |= t[6] << 6;
- r[13*i+10] = t[6] >> 2;
- r[13*i+11] = t[6] >> 10;
- r[13*i+11] |= t[7] << 3;
- r[13*i+12] = t[7] >> 5;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly * restrict r, const uint8_t a[POLYT0_PACKEDBYTES]) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = a[13*i+0];
- r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8;
- r->coeffs[8*i+0] &= 0x1FFF;
-
- r->coeffs[8*i+1] = a[13*i+1] >> 5;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+2] << 3;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+3] << 11;
- r->coeffs[8*i+1] &= 0x1FFF;
-
- r->coeffs[8*i+2] = a[13*i+3] >> 2;
- r->coeffs[8*i+2] |= (uint32_t)a[13*i+4] << 6;
- r->coeffs[8*i+2] &= 0x1FFF;
-
- r->coeffs[8*i+3] = a[13*i+4] >> 7;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+5] << 1;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+6] << 9;
- r->coeffs[8*i+3] &= 0x1FFF;
-
- r->coeffs[8*i+4] = a[13*i+6] >> 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+7] << 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+8] << 12;
- r->coeffs[8*i+4] &= 0x1FFF;
-
- r->coeffs[8*i+5] = a[13*i+8] >> 1;
- r->coeffs[8*i+5] |= (uint32_t)a[13*i+9] << 7;
- r->coeffs[8*i+5] &= 0x1FFF;
-
- r->coeffs[8*i+6] = a[13*i+9] >> 6;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+10] << 2;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+11] << 10;
- r->coeffs[8*i+6] &= 0x1FFF;
-
- r->coeffs[8*i+7] = a[13*i+11] >> 3;
- r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5;
- r->coeffs[8*i+7] &= 0x1FFF;
-
- r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly * restrict a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4*i+0];
- t[1] = GAMMA1 - a->coeffs[4*i+1];
- t[2] = GAMMA1 - a->coeffs[4*i+2];
- t[3] = GAMMA1 - a->coeffs[4*i+3];
-
- r[9*i+0] = t[0];
- r[9*i+1] = t[0] >> 8;
- r[9*i+2] = t[0] >> 16;
- r[9*i+2] |= t[1] << 2;
- r[9*i+3] = t[1] >> 6;
- r[9*i+4] = t[1] >> 14;
- r[9*i+4] |= t[2] << 4;
- r[9*i+5] = t[2] >> 4;
- r[9*i+6] = t[2] >> 12;
- r[9*i+6] |= t[3] << 6;
- r[9*i+7] = t[3] >> 2;
- r[9*i+8] = t[3] >> 10;
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2*i+0];
- t[1] = GAMMA1 - a->coeffs[2*i+1];
-
- r[5*i+0] = t[0];
- r[5*i+1] = t[0] >> 8;
- r[5*i+2] = t[0] >> 16;
- r[5*i+2] |= t[1] << 4;
- r[5*i+3] = t[1] >> 4;
- r[5*i+4] = t[1] >> 12;
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-#if GAMMA1 == (1 << 17)
-void polyz_unpack(poly * restrict r, const uint8_t *a) {
- unsigned int i;
- __m256i f;
- const __m256i shufbidx = _mm256_set_epi8(-1, 9, 8, 7,-1, 7, 6, 5,-1, 5, 4, 3,-1, 3, 2, 1,
- -1, 8, 7, 6,-1, 6, 5, 4,-1, 4, 3, 2,-1, 2, 1, 0);
- const __m256i srlvdidx = _mm256_set_epi32(6,4,2,0,6,4,2,0);
- const __m256i mask = _mm256_set1_epi32(0x3FFFF);
- const __m256i gamma1 = _mm256_set1_epi32(GAMMA1);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_loadu_si256((__m256i *)&a[18*i]);
- f = _mm256_permute4x64_epi64(f,0x94);
- f = _mm256_shuffle_epi8(f,shufbidx);
- f = _mm256_srlv_epi32(f,srlvdidx);
- f = _mm256_and_si256(f,mask);
- f = _mm256_sub_epi32(gamma1,f);
- _mm256_store_si256(&r->vec[i],f);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-#elif GAMMA1 == (1 << 19)
-void polyz_unpack(poly * restrict r, const uint8_t *a) {
- unsigned int i;
- __m256i f;
- const __m256i shufbidx = _mm256_set_epi8(-1,11,10, 9,-1, 9, 8, 7,-1, 6, 5, 4,-1, 4, 3, 2,
- -1, 9, 8, 7,-1, 7, 6, 5,-1, 4, 3, 2,-1, 2, 1, 0);
- const __m256i srlvdidx = _mm256_set1_epi64x((uint64_t)4 << 32);
- const __m256i mask = _mm256_set1_epi32(0xFFFFF);
- const __m256i gamma1 = _mm256_set1_epi32(GAMMA1);
- DBENCH_START();
-
- for(i = 0; i < N/8; i++) {
- f = _mm256_loadu_si256((__m256i *)&a[20*i]);
- f = _mm256_permute4x64_epi64(f,0x94);
- f = _mm256_shuffle_epi8(f,shufbidx);
- f = _mm256_srlv_epi32(f,srlvdidx);
- f = _mm256_and_si256(f,mask);
- f = _mm256_sub_epi32(gamma1,f);
- _mm256_store_si256(&r->vec[i],f);
- }
-
- DBENCH_STOP(*tpack);
-}
-#endif
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be positive standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-#if GAMMA2 == (Q-1)/88
-void polyw1_pack(uint8_t *r, const poly * restrict a) {
- unsigned int i;
- __m256i f0,f1,f2,f3;
- const __m256i shift1 = _mm256_set1_epi16((64 << 8) + 1);
- const __m256i shift2 = _mm256_set1_epi32((4096 << 16) + 1);
- const __m256i shufdidx1 = _mm256_set_epi32(7,3,6,2,5,1,4,0);
- const __m256i shufdidx2 = _mm256_set_epi32(-1,-1,6,5,4,2,1,0);
- const __m256i shufbidx = _mm256_set_epi8(-1,-1,-1,-1,14,13,12,10, 9, 8, 6, 5, 4, 2, 1, 0,
- -1,-1,-1,-1,14,13,12,10, 9, 8, 6, 5, 4, 2, 1, 0);
- DBENCH_START();
-
- for(i = 0; i < N/32; i++) {
- f0 = _mm256_load_si256(&a->vec[4*i+0]);
- f1 = _mm256_load_si256(&a->vec[4*i+1]);
- f2 = _mm256_load_si256(&a->vec[4*i+2]);
- f3 = _mm256_load_si256(&a->vec[4*i+3]);
- f0 = _mm256_packus_epi32(f0,f1);
- f1 = _mm256_packus_epi32(f2,f3);
- f0 = _mm256_packus_epi16(f0,f1);
- f0 = _mm256_maddubs_epi16(f0,shift1);
- f0 = _mm256_madd_epi16(f0,shift2);
- f0 = _mm256_permutevar8x32_epi32(f0,shufdidx1);
- f0 = _mm256_shuffle_epi8(f0,shufbidx);
- f0 = _mm256_permutevar8x32_epi32(f0,shufdidx2);
- _mm256_storeu_si256((__m256i *)&r[24*i],f0);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-#elif GAMMA2 == (Q-1)/32
-void polyw1_pack(uint8_t *r, const poly * restrict a) {
- unsigned int i;
- __m256i f0, f1, f2, f3, f4, f5, f6, f7;
- const __m256i shift = _mm256_set1_epi16((16 << 8) + 1);
- const __m256i shufbidx = _mm256_set_epi8(15,14, 7, 6,13,12, 5, 4,11,10, 3, 2, 9, 8, 1, 0,
- 15,14, 7, 6,13,12, 5, 4,11,10, 3, 2, 9, 8, 1, 0);
- DBENCH_START();
-
- for(i = 0; i < N/64; ++i) {
- f0 = _mm256_load_si256(&a->vec[8*i+0]);
- f1 = _mm256_load_si256(&a->vec[8*i+1]);
- f2 = _mm256_load_si256(&a->vec[8*i+2]);
- f3 = _mm256_load_si256(&a->vec[8*i+3]);
- f4 = _mm256_load_si256(&a->vec[8*i+4]);
- f5 = _mm256_load_si256(&a->vec[8*i+5]);
- f6 = _mm256_load_si256(&a->vec[8*i+6]);
- f7 = _mm256_load_si256(&a->vec[8*i+7]);
- f0 = _mm256_packus_epi32(f0,f1);
- f1 = _mm256_packus_epi32(f2,f3);
- f2 = _mm256_packus_epi32(f4,f5);
- f3 = _mm256_packus_epi32(f6,f7);
- f0 = _mm256_packus_epi16(f0,f1);
- f1 = _mm256_packus_epi16(f2,f3);
- f0 = _mm256_maddubs_epi16(f0,shift);
- f1 = _mm256_maddubs_epi16(f1,shift);
- f0 = _mm256_packus_epi16(f0,f1);
- f0 = _mm256_permute4x64_epi64(f0,0xD8);
- f0 = _mm256_shuffle_epi8(f0,shufbidx);
- _mm256_storeu_si256((__m256i *)&r[32*i], f0);
- }
-
- DBENCH_STOP(*tpack);
-}
-#endif
+++ /dev/null
-#ifndef POLY_H
-#define POLY_H
-
-#include <stdint.h>
-#include "align.h"
-#include "params.h"
-#include "symmetric.h"
-
-typedef ALIGNED_INT32(N) poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_nttunpack DILITHIUM_NAMESPACE(poly_nttunpack)
-void poly_nttunpack(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(uint8_t hint[N], const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform_preinit DILITHIUM_NAMESPACE(poly_uniform_preinit)
-void poly_uniform_preinit(poly *a, stream128_state *state);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-#define poly_uniform_eta_preinit DILITHIUM_NAMESPACE(poly_uniform_eta_preinit)
-void poly_uniform_eta_preinit(poly *a, stream256_state *state);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
-#define poly_uniform_gamma1_preinit DILITHIUM_NAMESPACE(poly_uniform_gamma1_preinit)
-void poly_uniform_gamma1_preinit(poly *a, stream256_state *state);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a, const uint8_t seed[CRHBYTES], uint16_t nonce);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#ifndef DILITHIUM_USE_AES
-#define poly_uniform_4x DILITHIUM_NAMESPACE(poly_uniform_4x)
-void poly_uniform_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#define poly_uniform_eta_4x DILITHIUM_NAMESPACE(poly_uniform_eta_4x)
-void poly_uniform_eta_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#define poly_uniform_gamma1_4x DILITHIUM_NAMESPACE(poly_uniform_gamma1_4x)
-void poly_uniform_gamma1_4x(poly *a0,
- poly *a1,
- poly *a2,
- poly *a3,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce0,
- uint16_t nonce1,
- uint16_t nonce2,
- uint16_t nonce3);
-#endif
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t r[POLYETA_PACKEDBYTES], const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t a[POLYETA_PACKEDBYTES]);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t r[POLYT1_PACKEDBYTES], const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t a[POLYT1_PACKEDBYTES]);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t r[POLYT0_PACKEDBYTES], const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t a[POLYT0_PACKEDBYTES]);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t r[POLYZ_PACKEDBYTES], const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "ntt.h"
-#include "consts.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-#ifdef DILITHIUM_USE_AES
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
- uint64_t nonce;
- aes256ctr_ctx state;
-
- aes256ctr_init_u64(&state, rho, 0);
-
- for(i = 0; i < K; i++) {
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&state, nonce);
- poly_uniform_preinit(&mat[i].vec[j], &state);
- poly_nttunpack(&mat[i].vec[j]);
- }
- }
- aes256_ctx_release(&state);
-}
-
-#elif K == 4 && L == 4
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvec_matrix_expand_row0(&mat[0], NULL, rho);
- polyvec_matrix_expand_row1(&mat[1], NULL, rho);
- polyvec_matrix_expand_row2(&mat[2], NULL, rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 256, 257, 258, 259);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 512, 513, 514, 515);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 768, 769, 770, 771);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
-}
-
-#elif K == 6 && L == 5
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvecl tmp;
- polyvec_matrix_expand_row0(&mat[0], &mat[1], rho);
- polyvec_matrix_expand_row1(&mat[1], &mat[2], rho);
- polyvec_matrix_expand_row2(&mat[2], &mat[3], rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
- polyvec_matrix_expand_row4(&mat[4], &mat[5], rho);
- polyvec_matrix_expand_row5(&mat[5], &tmp, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_uniform_4x(&rowa->vec[4], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 4, 256, 257, 258);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowb->vec[0], &rowb->vec[1], rho, 259, 260, 512, 513);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowb->vec[0], rho, 514, 515, 516, 768);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 769, 770, 771, 772);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
-}
-
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 1024, 1025, 1026, 1027);
- poly_uniform_4x(&rowa->vec[4], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 1028, 1280, 1281, 1282);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowb->vec[0], &rowb->vec[1], rho, 1283, 1284, 1536, 1537);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
-}
-
-#elif K == 8 && L == 7
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- polyvec_matrix_expand_row0(&mat[0], &mat[1], rho);
- polyvec_matrix_expand_row1(&mat[1], &mat[2], rho);
- polyvec_matrix_expand_row2(&mat[2], &mat[3], rho);
- polyvec_matrix_expand_row3(&mat[3], NULL, rho);
- polyvec_matrix_expand_row4(&mat[4], &mat[5], rho);
- polyvec_matrix_expand_row5(&mat[5], &mat[6], rho);
- polyvec_matrix_expand_row6(&mat[6], &mat[7], rho);
- polyvec_matrix_expand_row7(&mat[7], NULL, rho);
-}
-
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 0, 1, 2, 3);
- poly_uniform_4x(&rowa->vec[4], &rowa->vec[5], &rowa->vec[6], &rowb->vec[0], rho, 4, 5, 6, 256);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 257, 258, 259, 260);
- poly_uniform_4x(&rowa->vec[5], &rowa->vec[6], &rowb->vec[0], &rowb->vec[1], rho, 261, 262, 512, 513);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowa->vec[5], rho, 514, 515, 516, 517);
- poly_uniform_4x(&rowa->vec[6], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 518, 768, 769, 770);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row3(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowa->vec[5], &rowa->vec[6], rho, 771, 772, 773, 774);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
-}
-
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[0], &rowa->vec[1], &rowa->vec[2], &rowa->vec[3], rho, 1024, 1025, 1026, 1027);
- poly_uniform_4x(&rowa->vec[4], &rowa->vec[5], &rowa->vec[6], &rowb->vec[0], rho, 1028, 1029, 1030, 1280);
- poly_nttunpack(&rowa->vec[0]);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
-}
-
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[1], &rowa->vec[2], &rowa->vec[3], &rowa->vec[4], rho, 1281, 1282, 1283, 1284);
- poly_uniform_4x(&rowa->vec[5], &rowa->vec[6], &rowb->vec[0], &rowb->vec[1], rho, 1285, 1286, 1536, 1537);
- poly_nttunpack(&rowa->vec[1]);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
-}
-
-void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[2], &rowa->vec[3], &rowa->vec[4], &rowa->vec[5], rho, 1538, 1539, 1540, 1541);
- poly_uniform_4x(&rowa->vec[6], &rowb->vec[0], &rowb->vec[1], &rowb->vec[2], rho, 1542, 1792, 1793, 1794);
- poly_nttunpack(&rowa->vec[2]);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
- poly_nttunpack(&rowb->vec[0]);
- poly_nttunpack(&rowb->vec[1]);
- poly_nttunpack(&rowb->vec[2]);
-}
-
-void polyvec_matrix_expand_row7(polyvecl *rowa, __attribute__((unused)) polyvecl *rowb, const uint8_t rho[SEEDBYTES]) {
- poly_uniform_4x(&rowa->vec[3], &rowa->vec[4], &rowa->vec[5], &rowa->vec[6], rho, 1795, 1796, 1797, 1798);
- poly_nttunpack(&rowa->vec[3]);
- poly_nttunpack(&rowa->vec[4]);
- poly_nttunpack(&rowa->vec[5]);
- poly_nttunpack(&rowa->vec[6]);
-}
-
-#else
-#error
-#endif
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-void polyvecl_pointwise_acc_montgomery(poly *w, const polyvecl *u, const polyvecl *v) {
- pointwise_acc_avx(w->vec, u->vec->vec, v->vec->vec, qdata.vec);
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_caddq(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_shiftl(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - uint8_t *hint: pointer to output hint array
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1)
-{
- unsigned int i, n = 0;
-
- for(i = 0; i < K; ++i)
- n += poly_make_hint(&hint[n], &v0->vec[i], &v1->vec[i]);
-
- return n;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
-}
-
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyw1_pack(&r[i*POLYW1_PACKEDBYTES], &w1->vec[i]);
-}
+++ /dev/null
-#ifndef POLYVEC_H
-#define POLYVEC_H
-
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery \
- DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(uint8_t *hint, const polyveck *v0, const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#ifndef DILITHIUM_USE_AES
-#define polyvec_matrix_expand_row0 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row0)
-void polyvec_matrix_expand_row0(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row1 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row1)
-void polyvec_matrix_expand_row1(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row2 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row2)
-void polyvec_matrix_expand_row2(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row3 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row3)
-void polyvec_matrix_expand_row3(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row4 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row4)
-void polyvec_matrix_expand_row4(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row5 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row5)
-void polyvec_matrix_expand_row5(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row6 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row6)
-void polyvec_matrix_expand_row6(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#define polyvec_matrix_expand_row7 DILITHIUM_NAMESPACE(polyvec_matrix_expand_row7)
-void polyvec_matrix_expand_row7(polyvecl *rowa, polyvecl *rowb, const uint8_t rho[SEEDBYTES]);
-#endif
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include "params.h"
-#include "rejsample.h"
-#include "symmetric.h"
-
-const uint8_t idxlut[256][8] = {
- { 0, 0, 0, 0, 0, 0, 0, 0},
- { 0, 0, 0, 0, 0, 0, 0, 0},
- { 1, 0, 0, 0, 0, 0, 0, 0},
- { 0, 1, 0, 0, 0, 0, 0, 0},
- { 2, 0, 0, 0, 0, 0, 0, 0},
- { 0, 2, 0, 0, 0, 0, 0, 0},
- { 1, 2, 0, 0, 0, 0, 0, 0},
- { 0, 1, 2, 0, 0, 0, 0, 0},
- { 3, 0, 0, 0, 0, 0, 0, 0},
- { 0, 3, 0, 0, 0, 0, 0, 0},
- { 1, 3, 0, 0, 0, 0, 0, 0},
- { 0, 1, 3, 0, 0, 0, 0, 0},
- { 2, 3, 0, 0, 0, 0, 0, 0},
- { 0, 2, 3, 0, 0, 0, 0, 0},
- { 1, 2, 3, 0, 0, 0, 0, 0},
- { 0, 1, 2, 3, 0, 0, 0, 0},
- { 4, 0, 0, 0, 0, 0, 0, 0},
- { 0, 4, 0, 0, 0, 0, 0, 0},
- { 1, 4, 0, 0, 0, 0, 0, 0},
- { 0, 1, 4, 0, 0, 0, 0, 0},
- { 2, 4, 0, 0, 0, 0, 0, 0},
- { 0, 2, 4, 0, 0, 0, 0, 0},
- { 1, 2, 4, 0, 0, 0, 0, 0},
- { 0, 1, 2, 4, 0, 0, 0, 0},
- { 3, 4, 0, 0, 0, 0, 0, 0},
- { 0, 3, 4, 0, 0, 0, 0, 0},
- { 1, 3, 4, 0, 0, 0, 0, 0},
- { 0, 1, 3, 4, 0, 0, 0, 0},
- { 2, 3, 4, 0, 0, 0, 0, 0},
- { 0, 2, 3, 4, 0, 0, 0, 0},
- { 1, 2, 3, 4, 0, 0, 0, 0},
- { 0, 1, 2, 3, 4, 0, 0, 0},
- { 5, 0, 0, 0, 0, 0, 0, 0},
- { 0, 5, 0, 0, 0, 0, 0, 0},
- { 1, 5, 0, 0, 0, 0, 0, 0},
- { 0, 1, 5, 0, 0, 0, 0, 0},
- { 2, 5, 0, 0, 0, 0, 0, 0},
- { 0, 2, 5, 0, 0, 0, 0, 0},
- { 1, 2, 5, 0, 0, 0, 0, 0},
- { 0, 1, 2, 5, 0, 0, 0, 0},
- { 3, 5, 0, 0, 0, 0, 0, 0},
- { 0, 3, 5, 0, 0, 0, 0, 0},
- { 1, 3, 5, 0, 0, 0, 0, 0},
- { 0, 1, 3, 5, 0, 0, 0, 0},
- { 2, 3, 5, 0, 0, 0, 0, 0},
- { 0, 2, 3, 5, 0, 0, 0, 0},
- { 1, 2, 3, 5, 0, 0, 0, 0},
- { 0, 1, 2, 3, 5, 0, 0, 0},
- { 4, 5, 0, 0, 0, 0, 0, 0},
- { 0, 4, 5, 0, 0, 0, 0, 0},
- { 1, 4, 5, 0, 0, 0, 0, 0},
- { 0, 1, 4, 5, 0, 0, 0, 0},
- { 2, 4, 5, 0, 0, 0, 0, 0},
- { 0, 2, 4, 5, 0, 0, 0, 0},
- { 1, 2, 4, 5, 0, 0, 0, 0},
- { 0, 1, 2, 4, 5, 0, 0, 0},
- { 3, 4, 5, 0, 0, 0, 0, 0},
- { 0, 3, 4, 5, 0, 0, 0, 0},
- { 1, 3, 4, 5, 0, 0, 0, 0},
- { 0, 1, 3, 4, 5, 0, 0, 0},
- { 2, 3, 4, 5, 0, 0, 0, 0},
- { 0, 2, 3, 4, 5, 0, 0, 0},
- { 1, 2, 3, 4, 5, 0, 0, 0},
- { 0, 1, 2, 3, 4, 5, 0, 0},
- { 6, 0, 0, 0, 0, 0, 0, 0},
- { 0, 6, 0, 0, 0, 0, 0, 0},
- { 1, 6, 0, 0, 0, 0, 0, 0},
- { 0, 1, 6, 0, 0, 0, 0, 0},
- { 2, 6, 0, 0, 0, 0, 0, 0},
- { 0, 2, 6, 0, 0, 0, 0, 0},
- { 1, 2, 6, 0, 0, 0, 0, 0},
- { 0, 1, 2, 6, 0, 0, 0, 0},
- { 3, 6, 0, 0, 0, 0, 0, 0},
- { 0, 3, 6, 0, 0, 0, 0, 0},
- { 1, 3, 6, 0, 0, 0, 0, 0},
- { 0, 1, 3, 6, 0, 0, 0, 0},
- { 2, 3, 6, 0, 0, 0, 0, 0},
- { 0, 2, 3, 6, 0, 0, 0, 0},
- { 1, 2, 3, 6, 0, 0, 0, 0},
- { 0, 1, 2, 3, 6, 0, 0, 0},
- { 4, 6, 0, 0, 0, 0, 0, 0},
- { 0, 4, 6, 0, 0, 0, 0, 0},
- { 1, 4, 6, 0, 0, 0, 0, 0},
- { 0, 1, 4, 6, 0, 0, 0, 0},
- { 2, 4, 6, 0, 0, 0, 0, 0},
- { 0, 2, 4, 6, 0, 0, 0, 0},
- { 1, 2, 4, 6, 0, 0, 0, 0},
- { 0, 1, 2, 4, 6, 0, 0, 0},
- { 3, 4, 6, 0, 0, 0, 0, 0},
- { 0, 3, 4, 6, 0, 0, 0, 0},
- { 1, 3, 4, 6, 0, 0, 0, 0},
- { 0, 1, 3, 4, 6, 0, 0, 0},
- { 2, 3, 4, 6, 0, 0, 0, 0},
- { 0, 2, 3, 4, 6, 0, 0, 0},
- { 1, 2, 3, 4, 6, 0, 0, 0},
- { 0, 1, 2, 3, 4, 6, 0, 0},
- { 5, 6, 0, 0, 0, 0, 0, 0},
- { 0, 5, 6, 0, 0, 0, 0, 0},
- { 1, 5, 6, 0, 0, 0, 0, 0},
- { 0, 1, 5, 6, 0, 0, 0, 0},
- { 2, 5, 6, 0, 0, 0, 0, 0},
- { 0, 2, 5, 6, 0, 0, 0, 0},
- { 1, 2, 5, 6, 0, 0, 0, 0},
- { 0, 1, 2, 5, 6, 0, 0, 0},
- { 3, 5, 6, 0, 0, 0, 0, 0},
- { 0, 3, 5, 6, 0, 0, 0, 0},
- { 1, 3, 5, 6, 0, 0, 0, 0},
- { 0, 1, 3, 5, 6, 0, 0, 0},
- { 2, 3, 5, 6, 0, 0, 0, 0},
- { 0, 2, 3, 5, 6, 0, 0, 0},
- { 1, 2, 3, 5, 6, 0, 0, 0},
- { 0, 1, 2, 3, 5, 6, 0, 0},
- { 4, 5, 6, 0, 0, 0, 0, 0},
- { 0, 4, 5, 6, 0, 0, 0, 0},
- { 1, 4, 5, 6, 0, 0, 0, 0},
- { 0, 1, 4, 5, 6, 0, 0, 0},
- { 2, 4, 5, 6, 0, 0, 0, 0},
- { 0, 2, 4, 5, 6, 0, 0, 0},
- { 1, 2, 4, 5, 6, 0, 0, 0},
- { 0, 1, 2, 4, 5, 6, 0, 0},
- { 3, 4, 5, 6, 0, 0, 0, 0},
- { 0, 3, 4, 5, 6, 0, 0, 0},
- { 1, 3, 4, 5, 6, 0, 0, 0},
- { 0, 1, 3, 4, 5, 6, 0, 0},
- { 2, 3, 4, 5, 6, 0, 0, 0},
- { 0, 2, 3, 4, 5, 6, 0, 0},
- { 1, 2, 3, 4, 5, 6, 0, 0},
- { 0, 1, 2, 3, 4, 5, 6, 0},
- { 7, 0, 0, 0, 0, 0, 0, 0},
- { 0, 7, 0, 0, 0, 0, 0, 0},
- { 1, 7, 0, 0, 0, 0, 0, 0},
- { 0, 1, 7, 0, 0, 0, 0, 0},
- { 2, 7, 0, 0, 0, 0, 0, 0},
- { 0, 2, 7, 0, 0, 0, 0, 0},
- { 1, 2, 7, 0, 0, 0, 0, 0},
- { 0, 1, 2, 7, 0, 0, 0, 0},
- { 3, 7, 0, 0, 0, 0, 0, 0},
- { 0, 3, 7, 0, 0, 0, 0, 0},
- { 1, 3, 7, 0, 0, 0, 0, 0},
- { 0, 1, 3, 7, 0, 0, 0, 0},
- { 2, 3, 7, 0, 0, 0, 0, 0},
- { 0, 2, 3, 7, 0, 0, 0, 0},
- { 1, 2, 3, 7, 0, 0, 0, 0},
- { 0, 1, 2, 3, 7, 0, 0, 0},
- { 4, 7, 0, 0, 0, 0, 0, 0},
- { 0, 4, 7, 0, 0, 0, 0, 0},
- { 1, 4, 7, 0, 0, 0, 0, 0},
- { 0, 1, 4, 7, 0, 0, 0, 0},
- { 2, 4, 7, 0, 0, 0, 0, 0},
- { 0, 2, 4, 7, 0, 0, 0, 0},
- { 1, 2, 4, 7, 0, 0, 0, 0},
- { 0, 1, 2, 4, 7, 0, 0, 0},
- { 3, 4, 7, 0, 0, 0, 0, 0},
- { 0, 3, 4, 7, 0, 0, 0, 0},
- { 1, 3, 4, 7, 0, 0, 0, 0},
- { 0, 1, 3, 4, 7, 0, 0, 0},
- { 2, 3, 4, 7, 0, 0, 0, 0},
- { 0, 2, 3, 4, 7, 0, 0, 0},
- { 1, 2, 3, 4, 7, 0, 0, 0},
- { 0, 1, 2, 3, 4, 7, 0, 0},
- { 5, 7, 0, 0, 0, 0, 0, 0},
- { 0, 5, 7, 0, 0, 0, 0, 0},
- { 1, 5, 7, 0, 0, 0, 0, 0},
- { 0, 1, 5, 7, 0, 0, 0, 0},
- { 2, 5, 7, 0, 0, 0, 0, 0},
- { 0, 2, 5, 7, 0, 0, 0, 0},
- { 1, 2, 5, 7, 0, 0, 0, 0},
- { 0, 1, 2, 5, 7, 0, 0, 0},
- { 3, 5, 7, 0, 0, 0, 0, 0},
- { 0, 3, 5, 7, 0, 0, 0, 0},
- { 1, 3, 5, 7, 0, 0, 0, 0},
- { 0, 1, 3, 5, 7, 0, 0, 0},
- { 2, 3, 5, 7, 0, 0, 0, 0},
- { 0, 2, 3, 5, 7, 0, 0, 0},
- { 1, 2, 3, 5, 7, 0, 0, 0},
- { 0, 1, 2, 3, 5, 7, 0, 0},
- { 4, 5, 7, 0, 0, 0, 0, 0},
- { 0, 4, 5, 7, 0, 0, 0, 0},
- { 1, 4, 5, 7, 0, 0, 0, 0},
- { 0, 1, 4, 5, 7, 0, 0, 0},
- { 2, 4, 5, 7, 0, 0, 0, 0},
- { 0, 2, 4, 5, 7, 0, 0, 0},
- { 1, 2, 4, 5, 7, 0, 0, 0},
- { 0, 1, 2, 4, 5, 7, 0, 0},
- { 3, 4, 5, 7, 0, 0, 0, 0},
- { 0, 3, 4, 5, 7, 0, 0, 0},
- { 1, 3, 4, 5, 7, 0, 0, 0},
- { 0, 1, 3, 4, 5, 7, 0, 0},
- { 2, 3, 4, 5, 7, 0, 0, 0},
- { 0, 2, 3, 4, 5, 7, 0, 0},
- { 1, 2, 3, 4, 5, 7, 0, 0},
- { 0, 1, 2, 3, 4, 5, 7, 0},
- { 6, 7, 0, 0, 0, 0, 0, 0},
- { 0, 6, 7, 0, 0, 0, 0, 0},
- { 1, 6, 7, 0, 0, 0, 0, 0},
- { 0, 1, 6, 7, 0, 0, 0, 0},
- { 2, 6, 7, 0, 0, 0, 0, 0},
- { 0, 2, 6, 7, 0, 0, 0, 0},
- { 1, 2, 6, 7, 0, 0, 0, 0},
- { 0, 1, 2, 6, 7, 0, 0, 0},
- { 3, 6, 7, 0, 0, 0, 0, 0},
- { 0, 3, 6, 7, 0, 0, 0, 0},
- { 1, 3, 6, 7, 0, 0, 0, 0},
- { 0, 1, 3, 6, 7, 0, 0, 0},
- { 2, 3, 6, 7, 0, 0, 0, 0},
- { 0, 2, 3, 6, 7, 0, 0, 0},
- { 1, 2, 3, 6, 7, 0, 0, 0},
- { 0, 1, 2, 3, 6, 7, 0, 0},
- { 4, 6, 7, 0, 0, 0, 0, 0},
- { 0, 4, 6, 7, 0, 0, 0, 0},
- { 1, 4, 6, 7, 0, 0, 0, 0},
- { 0, 1, 4, 6, 7, 0, 0, 0},
- { 2, 4, 6, 7, 0, 0, 0, 0},
- { 0, 2, 4, 6, 7, 0, 0, 0},
- { 1, 2, 4, 6, 7, 0, 0, 0},
- { 0, 1, 2, 4, 6, 7, 0, 0},
- { 3, 4, 6, 7, 0, 0, 0, 0},
- { 0, 3, 4, 6, 7, 0, 0, 0},
- { 1, 3, 4, 6, 7, 0, 0, 0},
- { 0, 1, 3, 4, 6, 7, 0, 0},
- { 2, 3, 4, 6, 7, 0, 0, 0},
- { 0, 2, 3, 4, 6, 7, 0, 0},
- { 1, 2, 3, 4, 6, 7, 0, 0},
- { 0, 1, 2, 3, 4, 6, 7, 0},
- { 5, 6, 7, 0, 0, 0, 0, 0},
- { 0, 5, 6, 7, 0, 0, 0, 0},
- { 1, 5, 6, 7, 0, 0, 0, 0},
- { 0, 1, 5, 6, 7, 0, 0, 0},
- { 2, 5, 6, 7, 0, 0, 0, 0},
- { 0, 2, 5, 6, 7, 0, 0, 0},
- { 1, 2, 5, 6, 7, 0, 0, 0},
- { 0, 1, 2, 5, 6, 7, 0, 0},
- { 3, 5, 6, 7, 0, 0, 0, 0},
- { 0, 3, 5, 6, 7, 0, 0, 0},
- { 1, 3, 5, 6, 7, 0, 0, 0},
- { 0, 1, 3, 5, 6, 7, 0, 0},
- { 2, 3, 5, 6, 7, 0, 0, 0},
- { 0, 2, 3, 5, 6, 7, 0, 0},
- { 1, 2, 3, 5, 6, 7, 0, 0},
- { 0, 1, 2, 3, 5, 6, 7, 0},
- { 4, 5, 6, 7, 0, 0, 0, 0},
- { 0, 4, 5, 6, 7, 0, 0, 0},
- { 1, 4, 5, 6, 7, 0, 0, 0},
- { 0, 1, 4, 5, 6, 7, 0, 0},
- { 2, 4, 5, 6, 7, 0, 0, 0},
- { 0, 2, 4, 5, 6, 7, 0, 0},
- { 1, 2, 4, 5, 6, 7, 0, 0},
- { 0, 1, 2, 4, 5, 6, 7, 0},
- { 3, 4, 5, 6, 7, 0, 0, 0},
- { 0, 3, 4, 5, 6, 7, 0, 0},
- { 1, 3, 4, 5, 6, 7, 0, 0},
- { 0, 1, 3, 4, 5, 6, 7, 0},
- { 2, 3, 4, 5, 6, 7, 0, 0},
- { 0, 2, 3, 4, 5, 6, 7, 0},
- { 1, 2, 3, 4, 5, 6, 7, 0},
- { 0, 1, 2, 3, 4, 5, 6, 7}
-};
-
-unsigned int rej_uniform_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_BUFLEN+8])
-{
- unsigned int ctr, pos;
- uint32_t good;
- __m256i d, tmp;
- const __m256i bound = _mm256_set1_epi32(Q);
- const __m256i mask = _mm256_set1_epi32(0x7FFFFF);
- const __m256i idx8 = _mm256_set_epi8(-1,15,14,13,-1,12,11,10,
- -1, 9, 8, 7,-1, 6, 5, 4,
- -1,11,10, 9,-1, 8, 7, 6,
- -1, 5, 4, 3,-1, 2, 1, 0);
-
- ctr = pos = 0;
- while(pos <= REJ_UNIFORM_BUFLEN - 24) {
- d = _mm256_loadu_si256((__m256i *)&buf[pos]);
- d = _mm256_permute4x64_epi64(d, 0x94);
- d = _mm256_shuffle_epi8(d, idx8);
- d = _mm256_and_si256(d, mask);
- pos += 24;
-
- tmp = _mm256_sub_epi32(d, bound);
- good = _mm256_movemask_ps((__m256)tmp);
- tmp = _mm256_cvtepu8_epi32(_mm_loadl_epi64((__m128i *)&idxlut[good]));
- d = _mm256_permutevar8x32_epi32(d, tmp);
-
- _mm256_storeu_si256((__m256i *)&r[ctr], d);
- ctr += _mm_popcnt_u32(good);
-
-#ifndef DILITHIUM_USE_AES
- if(ctr > N - 8) break;
-#endif
- }
-
-#ifndef DILITHIUM_USE_AES
- uint32_t t;
- while(ctr < N && pos <= REJ_UNIFORM_BUFLEN - 3) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- r[ctr++] = t;
- }
-#endif
-
- return ctr;
-}
-
-#if ETA == 2
-unsigned int rej_eta_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) {
- unsigned int ctr, pos;
- uint32_t good;
- __m256i f0, f1, f2;
- __m128i g0, g1;
- const __m256i mask = _mm256_set1_epi8(15);
- const __m256i eta = _mm256_set1_epi8(ETA);
- const __m256i bound = mask;
- const __m256i v = _mm256_set1_epi32(-6560);
- const __m256i p = _mm256_set1_epi32(5);
-
- ctr = pos = 0;
- while(ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) {
- f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos]));
- f1 = _mm256_slli_epi16(f0,4);
- f0 = _mm256_or_si256(f0,f1);
- f0 = _mm256_and_si256(f0,mask);
-
- f1 = _mm256_sub_epi8(f0,bound);
- f0 = _mm256_sub_epi8(eta,f0);
- good = _mm256_movemask_epi8(f1);
-
- g0 = _mm256_castsi256_si128(f0);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm256_extracti128_si256(f0,1);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- f2 = _mm256_mulhrs_epi16(f1,v);
- f2 = _mm256_mullo_epi16(f2,p);
- f1 = _mm256_add_epi32(f1,f2);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good);
- pos += 4;
- }
-
- uint32_t t0, t1;
- while(ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- r[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < N) {
- t1 = t1 - (205*t1 >> 10)*5;
- r[ctr++] = 2 - t1;
- }
- }
-
- return ctr;
-}
-
-#elif ETA == 4
-unsigned int rej_eta_avx(int32_t * restrict r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]) {
- unsigned int ctr, pos;
- uint32_t good;
- __m256i f0, f1;
- __m128i g0, g1;
- const __m256i mask = _mm256_set1_epi8(15);
- const __m256i eta = _mm256_set1_epi8(4);
- const __m256i bound = _mm256_set1_epi8(9);
-
- ctr = pos = 0;
- while(ctr <= N - 8 && pos <= REJ_UNIFORM_ETA_BUFLEN - 16) {
- f0 = _mm256_cvtepu8_epi16(_mm_loadu_si128((__m128i *)&buf[pos]));
- f1 = _mm256_slli_epi16(f0,4);
- f0 = _mm256_or_si256(f0,f1);
- f0 = _mm256_and_si256(f0,mask);
-
- f1 = _mm256_sub_epi8(f0,bound);
- f0 = _mm256_sub_epi8(eta,f0);
- good = _mm256_movemask_epi8(f1);
-
- g0 = _mm256_castsi256_si128(f0);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm256_extracti128_si256(f0,1);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good & 0xFF]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good & 0xFF);
- good >>= 8;
- pos += 4;
-
- if(ctr > N - 8) break;
- g0 = _mm_bsrli_si128(g0,8);
- g1 = _mm_loadl_epi64((__m128i *)&idxlut[good]);
- g1 = _mm_shuffle_epi8(g0,g1);
- f1 = _mm256_cvtepi8_epi32(g1);
- _mm256_storeu_si256((__m256i *)&r[ctr],f1);
- ctr += _mm_popcnt_u32(good);
- pos += 4;
- }
-
- uint32_t t0, t1;
- while(ctr < N && pos < REJ_UNIFORM_ETA_BUFLEN) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
- if(t0 < 9)
- r[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < N)
- r[ctr++] = 4 - t1;
- }
-
- return ctr;
-}
-#endif
+++ /dev/null
-#ifndef REJSAMPLE_H
-#define REJSAMPLE_H
-
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-
-#define REJ_UNIFORM_NBLOCKS ((768+STREAM128_BLOCKBYTES-1)/STREAM128_BLOCKBYTES)
-#define REJ_UNIFORM_BUFLEN (REJ_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES)
-
-#if ETA == 2
-#define REJ_UNIFORM_ETA_NBLOCKS ((136+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-#elif ETA == 4
-#define REJ_UNIFORM_ETA_NBLOCKS ((227+STREAM256_BLOCKBYTES-1)/STREAM256_BLOCKBYTES)
-#endif
-#define REJ_UNIFORM_ETA_BUFLEN (REJ_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES)
-
-#define idxlut DILITHIUM_NAMESPACE(idxlut)
-extern const uint8_t idxlut[256][8];
-
-#define rej_uniform_avx DILITHIUM_NAMESPACE(rej_uniform_avx)
-unsigned int rej_uniform_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_BUFLEN+8]);
-
-#define rej_eta_avx DILITHIUM_NAMESPACE(rej_eta_avx)
-unsigned int rej_eta_avx(int32_t *r, const uint8_t buf[REJ_UNIFORM_ETA_BUFLEN]);
-
-#endif
-
+++ /dev/null
-#include <stdint.h>
-#include <immintrin.h>
-#include <string.h>
-#include "params.h"
-#include "rounding.h"
-#include "rejsample.h"
-#include "consts.h"
-
-#define _mm256_blendv_epi32(a,b,mask) \
- _mm256_castps_si256(_mm256_blendv_ps(_mm256_castsi256_ps(a), \
- _mm256_castsi256_ps(b), \
- _mm256_castsi256_ps(mask)))
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field elements a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be positive standard representative.
-*
-* Arguments: - __m256i *a1: output array of length N/8 with high bits
-* - __m256i *a0: output array of length N/8 with low bits a0
-* - const __m256i *a: input array of length N/8
-*
-**************************************************/
-void power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1;
- const __m256i mask = _mm256_set1_epi32(-(1 << D));
- const __m256i half = _mm256_set1_epi32((1 << (D-1)) - 1);
-
- for(i = 0; i < N/8; ++i) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,half);
- f0 = _mm256_and_si256(f1,mask);
- f1 = _mm256_srli_epi32(f1,D);
- f0 = _mm256_sub_epi32(f,f0);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low parts a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod Q - Q < 0. Assumes a to be positive standard
-* representative.
-*
-* Arguments: - __m256i *a1: output array of length N/8 with high parts
-* - __m256i *a0: output array of length N/8 with low parts a0
-* - const __m256i *a: input array of length N/8
-*
-**************************************************/
-#if GAMMA2 == (Q-1)/32
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i hq = _mm256_srli_epi32(q,1);
- const __m256i v = _mm256_set1_epi32(1025);
- const __m256i alpha = _mm256_set1_epi32(2*GAMMA2);
- const __m256i off = _mm256_set1_epi32(127);
- const __m256i shift = _mm256_set1_epi32(512);
- const __m256i mask = _mm256_set1_epi32(15);
-
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,off);
- f1 = _mm256_srli_epi32(f1,7);
- f1 = _mm256_mulhi_epu16(f1,v);
- f1 = _mm256_mulhrs_epi16(f1,shift);
- f1 = _mm256_and_si256(f1,mask);
- f0 = _mm256_mullo_epi32(f1,alpha);
- f0 = _mm256_sub_epi32(f,f0);
- f = _mm256_cmpgt_epi32(f0,hq);
- f = _mm256_and_si256(f,q);
- f0 = _mm256_sub_epi32(f0,f);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-
-#elif GAMMA2 == (Q-1)/88
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a)
-{
- unsigned int i;
- __m256i f,f0,f1,t;
- const __m256i q = _mm256_load_si256(&qdata.vec[_8XQ/8]);
- const __m256i hq = _mm256_srli_epi32(q,1);
- const __m256i v = _mm256_set1_epi32(11275);
- const __m256i alpha = _mm256_set1_epi32(2*GAMMA2);
- const __m256i off = _mm256_set1_epi32(127);
- const __m256i shift = _mm256_set1_epi32(128);
- const __m256i max = _mm256_set1_epi32(43);
- const __m256i zero = _mm256_setzero_si256();
-
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a[i]);
- f1 = _mm256_add_epi32(f,off);
- f1 = _mm256_srli_epi32(f1,7);
- f1 = _mm256_mulhi_epu16(f1,v);
- f1 = _mm256_mulhrs_epi16(f1,shift);
- t = _mm256_sub_epi32(max,f1);
- f1 = _mm256_blendv_epi32(f1,zero,t);
- f0 = _mm256_mullo_epi32(f1,alpha);
- f0 = _mm256_sub_epi32(f,f0);
- f = _mm256_cmpgt_epi32(f0,hq);
- f = _mm256_and_si256(f,q);
- f0 = _mm256_sub_epi32(f0,f);
- _mm256_store_si256(&a1[i],f1);
- _mm256_store_si256(&a0[i],f0);
- }
-}
-#endif
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute indices of polynomial coefficients whose low bits
-* overflow into the high bits.
-*
-* Arguments: - uint8_t *hint: hint array
-* - const __m256i *a0: low bits of input elements
-* - const __m256i *a1: high bits of input elements
-*
-* Returns number of overflowing low bits
-**************************************************/
-unsigned int make_hint_avx(uint8_t hint[N], const __m256i * restrict a0, const __m256i * restrict a1)
-{
- unsigned int i, n = 0;
- __m256i f0, f1, g0, g1;
- uint32_t bad;
- uint64_t idx;
- const __m256i low = _mm256_set1_epi32(-GAMMA2);
- const __m256i high = _mm256_set1_epi32(GAMMA2);
-
- for(i = 0; i < N/8; ++i) {
- f0 = _mm256_load_si256(&a0[i]);
- f1 = _mm256_load_si256(&a1[i]);
- g0 = _mm256_abs_epi32(f0);
- g0 = _mm256_cmpgt_epi32(g0,high);
- g1 = _mm256_cmpeq_epi32(f0,low);
- g1 = _mm256_sign_epi32(g1,f1);
- g0 = _mm256_or_si256(g0,g1);
-
- bad = _mm256_movemask_ps((__m256)g0);
- memcpy(&idx,idxlut[bad],8);
- idx += (uint64_t)0x0808080808080808*i;
- memcpy(&hint[n],&idx,8);
- n += _mm_popcnt_u32(bad);
- }
-
- return n;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high parts according to hint.
-*
-* Arguments: - __m256i *b: output array of length N/8 with corrected high parts
-* - const __m256i *a: input array of length N/8
-* - const __m256i *a: input array of length N/8 with hint bits
-*
-**************************************************/
-void use_hint_avx(__m256i *b, const __m256i *a, const __m256i * restrict hint) {
- unsigned int i;
- __m256i a0[N/8];
- __m256i f,g,h,t;
- const __m256i zero = _mm256_setzero_si256();
-#if GAMMA2 == (Q-1)/32
- const __m256i mask = _mm256_set1_epi32(15);
-#elif GAMMA2 == (Q-1)/88
- const __m256i max = _mm256_set1_epi32(43);
-#endif
-
- decompose_avx(b, a0, a);
- for(i=0;i<N/8;i++) {
- f = _mm256_load_si256(&a0[i]);
- g = _mm256_load_si256(&b[i]);
- h = _mm256_load_si256(&hint[i]);
- t = _mm256_blendv_epi32(zero,h,f);
- t = _mm256_slli_epi32(t,1);
- h = _mm256_sub_epi32(h,t);
- g = _mm256_add_epi32(g,h);
-#if GAMMA2 == (Q-1)/32
- g = _mm256_and_si256(g,mask);
-#elif GAMMA2 == (Q-1)/88
- g = _mm256_blendv_epi32(g,max,g);
- f = _mm256_cmpgt_epi32(g,max);
- g = _mm256_blendv_epi32(g,zero,f);
-#endif
- _mm256_store_si256(&b[i],g);
- }
-}
+++ /dev/null
-#ifndef ROUNDING_H
-#define ROUNDING_H
-
-#include <stdint.h>
-#include <immintrin.h>
-#include "params.h"
-
-#define power2round_avx DILITHIUM_NAMESPACE(power2round_avx)
-void power2round_avx(__m256i *a1, __m256i *a0, const __m256i *a);
-#define decompose_avx DILITHIUM_NAMESPACE(decompose_avx)
-void decompose_avx(__m256i *a1, __m256i *a0, const __m256i *a);
-#define make_hint_avx DILITHIUM_NAMESPACE(make_hint_avx)
-unsigned int make_hint_avx(uint8_t hint[N], const __m256i *a0, const __m256i *a1);
-#define use_hint_avx DILITHIUM_NAMESPACE(use_hint_avx)
-void use_hint_avx(__m256i *b, const __m256i *a, const __m256i *hint);
-
-#endif
+++ /dev/null
-#include "consts.h"
-.include "shuffle.inc"
-
-.text
-nttunpack128_avx:
-#load
-vmovdqa (%rdi),%ymm4
-vmovdqa 32(%rdi),%ymm5
-vmovdqa 64(%rdi),%ymm6
-vmovdqa 96(%rdi),%ymm7
-vmovdqa 128(%rdi),%ymm8
-vmovdqa 160(%rdi),%ymm9
-vmovdqa 192(%rdi),%ymm10
-vmovdqa 224(%rdi),%ymm11
-
-shuffle8 4,8,3,8
-shuffle8 5,9,4,9
-shuffle8 6,10,5,10
-shuffle8 7,11,6,11
-
-shuffle4 3,5,7,5
-shuffle4 8,10,3,10
-shuffle4 4,6,8,6
-shuffle4 9,11,4,11
-
-shuffle2 7,8,9,8
-shuffle2 5,6,7,6
-shuffle2 3,4,5,4
-shuffle2 10,11,3,11
-
-#store
-vmovdqa %ymm9,(%rdi)
-vmovdqa %ymm8,32(%rdi)
-vmovdqa %ymm7,64(%rdi)
-vmovdqa %ymm6,96(%rdi)
-vmovdqa %ymm5,128(%rdi)
-vmovdqa %ymm4,160(%rdi)
-vmovdqa %ymm3,192(%rdi)
-vmovdqa %ymm11,224(%rdi)
-
-ret
-
-.global cdecl(nttunpack_avx)
-cdecl(nttunpack_avx):
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-add $256,%rdi
-call nttunpack128_avx
-ret
+++ /dev/null
-.macro shuffle8 r0,r1,r2,r3
-vperm2i128 $0x20,%ymm\r1,%ymm\r0,%ymm\r2
-vperm2i128 $0x31,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle4 r0,r1,r2,r3
-vpunpcklqdq %ymm\r1,%ymm\r0,%ymm\r2
-vpunpckhqdq %ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle2 r0,r1,r2,r3
-#vpsllq $32,%ymm\r1,%ymm\r2
-vmovsldup %ymm\r1,%ymm\r2
-vpblendd $0xAA,%ymm\r2,%ymm\r0,%ymm\r2
-vpsrlq $32,%ymm\r0,%ymm\r0
-#vmovshdup %ymm\r0,%ymm\r0
-vpblendd $0xAA,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
-
-.macro shuffle1 r0,r1,r2,r3
-vpslld $16,%ymm\r1,%ymm\r2
-vpblendw $0xAA,%ymm\r2,%ymm\r0,%ymm\r2
-vpsrld $16,%ymm\r0,%ymm\r0
-vpblendw $0xAA,%ymm\r1,%ymm\r0,%ymm\r3
-.endm
+++ /dev/null
-#include <stdint.h>
-#include <string.h>
-#include "align.h"
-#include "params.h"
-#include "sign.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "randombytes.h"
-#include "symmetric.h"
-#include "fips202.h"
-#ifdef DILITHIUM_USE_AES
-#include "aes256ctr.h"
-#endif
-
-#ifndef DILITHIUM_USE_AES
-static inline void polyvec_matrix_expand_row(polyvecl **row, polyvecl buf[2], const uint8_t rho[SEEDBYTES], unsigned int i) {
- switch(i) {
- case 0:
- polyvec_matrix_expand_row0(buf, buf + 1, rho);
- *row = buf;
- break;
- case 1:
- polyvec_matrix_expand_row1(buf + 1, buf, rho);
- *row = buf + 1;
- break;
- case 2:
- polyvec_matrix_expand_row2(buf, buf + 1, rho);
- *row = buf;
- break;
- case 3:
- polyvec_matrix_expand_row3(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#if K > 4
- case 4:
- polyvec_matrix_expand_row4(buf, buf + 1, rho);
- *row = buf;
- break;
- case 5:
- polyvec_matrix_expand_row5(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#endif
-#if K > 6
- case 6:
- polyvec_matrix_expand_row6(buf, buf + 1, rho);
- *row = buf;
- break;
- case 7:
- polyvec_matrix_expand_row7(buf + 1, buf, rho);
- *row = buf + 1;
- break;
-#endif
- }
-}
-#endif
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- unsigned int i;
- uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- const uint8_t *rho, *rhoprime, *key;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
- polyvecl rowbuf[2];
-#endif
- polyvecl s1, *row = rowbuf;
- polyveck s2;
- poly t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Store rho, key */
- memcpy(pk, rho, SEEDBYTES);
- memcpy(sk, rho, SEEDBYTES);
- memcpy(sk + SEEDBYTES, key, SEEDBYTES);
-
- /* Sample short vectors s1 and s2 */
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
- for(i = 0; i < L; ++i) {
- nonce = i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s1.vec[i], &aesctx);
- }
- for(i = 0; i < K; ++i) {
- nonce = L + i;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_eta_preinit(&s2.vec[i], &aesctx);
- }
- aes256_ctx_release(&aesctx);
-#elif K == 4 && L == 4
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s2.vec[0], &s2.vec[1], &s2.vec[2], &s2.vec[3], rhoprime, 4, 5, 6, 7);
-#elif K == 6 && L == 5
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s1.vec[4], &s2.vec[0], &s2.vec[1], &s2.vec[2], rhoprime, 4, 5, 6, 7);
- poly_uniform_eta_4x(&s2.vec[3], &s2.vec[4], &s2.vec[5], &t0, rhoprime, 8, 9, 10, 11);
-#elif K == 8 && L == 7
- poly_uniform_eta_4x(&s1.vec[0], &s1.vec[1], &s1.vec[2], &s1.vec[3], rhoprime, 0, 1, 2, 3);
- poly_uniform_eta_4x(&s1.vec[4], &s1.vec[5], &s1.vec[6], &s2.vec[0], rhoprime, 4, 5, 6, 7);
- poly_uniform_eta_4x(&s2.vec[1], &s2.vec[2], &s2.vec[3], &s2.vec[4], rhoprime, 8, 9, 10, 11);
- poly_uniform_eta_4x(&s2.vec[5], &s2.vec[6], &s2.vec[7], &t0, rhoprime, 12, 13, 14, 15);
-#else
-#error
-#endif
-
- /* Pack secret vectors */
- for(i = 0; i < L; i++)
- polyeta_pack(sk + 3*SEEDBYTES + i*POLYETA_PACKEDBYTES, &s1.vec[i]);
- for(i = 0; i < K; i++)
- polyeta_pack(sk + 3*SEEDBYTES + (L + i)*POLYETA_PACKEDBYTES, &s2.vec[i]);
-
- /* Transform s1 */
- polyvecl_ntt(&s1);
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, rho, 0);
-#endif
-
- for(i = 0; i < K; i++) {
- /* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(unsigned int j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
- polyvec_matrix_expand_row(&row, rowbuf, rho, i);
-#endif
-
- /* Compute inner-product */
- polyvecl_pointwise_acc_montgomery(&t1, row, &s1);
- poly_invntt_tomont(&t1);
-
- /* Add error polynomial */
- poly_add(&t1, &t1, &s2.vec[i]);
-
- /* Round t and pack t1, t0 */
- poly_caddq(&t1);
- poly_power2round(&t1, &t0, &t1);
- polyt1_pack(pk + SEEDBYTES + i*POLYT1_PACKEDBYTES, &t1);
- polyt0_pack(sk + 3*SEEDBYTES + (L+K)*POLYETA_PACKEDBYTES + i*POLYT0_PACKEDBYTES, &t0);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- /* Compute H(rho, t1) and store in secret key */
- shake256(sk + 2*SEEDBYTES, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
- unsigned int i, n, pos;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint8_t hintbuf[N];
- uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
- uint64_t nonce = 0;
- polyvecl mat[K], s1, z;
- polyveck t0, s2, w1;
- poly c, tmp;
- union {
- polyvecl y;
- polyveck w0;
- } tmpv;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
-#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-#endif
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_ctx aesctx;
- aes256ctr_init_u64(&aesctx, rhoprime, 0);
-#endif
-
-rej:
- /* Sample intermediate vector y */
-#ifdef DILITHIUM_USE_AES
- for(i = 0; i < L; ++i) {
- aes256ctr_init_iv_u64(&aesctx, nonce);
- nonce++;
- poly_uniform_gamma1_preinit(&z.vec[i], &aesctx);
- }
-#elif L == 4
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- nonce += 4;
-#elif L == 5
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- poly_uniform_gamma1(&z.vec[4], rhoprime, nonce + 4);
- nonce += 5;
-#elif L == 7
- poly_uniform_gamma1_4x(&z.vec[0], &z.vec[1], &z.vec[2], &z.vec[3],
- rhoprime, nonce, nonce + 1, nonce + 2, nonce + 3);
- poly_uniform_gamma1_4x(&z.vec[4], &z.vec[5], &z.vec[6], &tmp,
- rhoprime, nonce + 4, nonce + 5, nonce + 6, 0);
- nonce += 7;
-#else
-#error
-#endif
-
- /* Matrix-vector product */
- tmpv.y = z;
- polyvecl_ntt(&tmpv.y);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &tmpv.y);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &tmpv.w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&c, sig);
- poly_ntt(&c);
-
- /* Compute z, reject if it reveals secret */
- for(i = 0; i < L; i++) {
- poly_pointwise_montgomery(&tmp, &c, &s1.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_add(&z.vec[i], &z.vec[i], &tmp);
- poly_reduce(&z.vec[i]);
- if(poly_chknorm(&z.vec[i], GAMMA1 - BETA))
- goto rej;
- }
-
- /* Zero hint vector in signature */
- pos = 0;
- memset(hint, 0, OMEGA);
-
- for(i = 0; i < K; i++) {
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- poly_pointwise_montgomery(&tmp, &c, &s2.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_sub(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp);
- poly_reduce(&tmpv.w0.vec[i]);
- if(poly_chknorm(&tmpv.w0.vec[i], GAMMA2 - BETA))
- goto rej;
-
- /* Compute hints */
- poly_pointwise_montgomery(&tmp, &c, &t0.vec[i]);
- poly_invntt_tomont(&tmp);
- poly_reduce(&tmp);
- if(poly_chknorm(&tmp, GAMMA2))
- goto rej;
-
- poly_add(&tmpv.w0.vec[i], &tmpv.w0.vec[i], &tmp);
- n = poly_make_hint(hintbuf, &tmpv.w0.vec[i], &w1.vec[i]);
- if(pos + n > OMEGA)
- goto rej;
-
- /* Store hints in signature */
- memcpy(&hint[pos], hintbuf, n);
- hint[OMEGA + i] = pos = pos + n;
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- shake256_inc_ctx_release(&state);
- /* Pack z into signature */
- for(i = 0; i < L; i++)
- polyz_pack(sig + SEEDBYTES + i*POLYZ_PACKEDBYTES, &z.vec[i]);
-
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm, size_t *smlen, const uint8_t *m, size_t mlen, const uint8_t *sk) {
- size_t i;
-
- for(i = 0; i < mlen; ++i)
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk) {
- unsigned int i, j, pos = 0;
- /* polyw1_pack writes additional 14 bytes */
- ALIGNED_UINT8(K*POLYW1_PACKEDBYTES+14) buf;
- uint8_t mu[CRHBYTES];
- const uint8_t *hint = sig + SEEDBYTES + L*POLYZ_PACKEDBYTES;
-#ifdef DILITHIUM_USE_AES
- uint64_t nonce;
- aes256ctr_ctx aesctx;
- polyvecl rowbuf[1];
-#else
- polyvecl rowbuf[2];
-#endif
- polyvecl *row = rowbuf;
- polyvecl z;
- poly c, w1, h;
- shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
- shake256_inc_ctx_release(&state);
-
- /* Expand challenge */
- poly_challenge(&c, sig);
- poly_ntt(&c);
-
- /* Unpack z; shortness follows from unpacking */
- for(i = 0; i < L; i++) {
- polyz_unpack(&z.vec[i], sig + SEEDBYTES + i*POLYZ_PACKEDBYTES);
- poly_ntt(&z.vec[i]);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256ctr_init_u64(&aesctx, pk, 0);
-#endif
-
- for(i = 0; i < K; i++) {
- /* Expand matrix row */
-#ifdef DILITHIUM_USE_AES
- for(j = 0; j < L; j++) {
- nonce = (i << 8) + j;
- aes256ctr_init_iv_u64(&aesctx, nonce);
- poly_uniform_preinit(&row->vec[j], &aesctx);
- poly_nttunpack(&row->vec[j]);
- }
-#else
- polyvec_matrix_expand_row(&row, rowbuf, pk, i);
-#endif
-
- /* Compute i-th row of Az - c2^Dt1 */
- polyvecl_pointwise_acc_montgomery(&w1, row, &z);
-
- polyt1_unpack(&h, pk + SEEDBYTES + i*POLYT1_PACKEDBYTES);
- poly_shiftl(&h);
- poly_ntt(&h);
- poly_pointwise_montgomery(&h, &c, &h);
-
- poly_sub(&w1, &w1, &h);
- poly_reduce(&w1);
- poly_invntt_tomont(&w1);
-
- /* Get hint polynomial and reconstruct w1 */
- memset(h.vec, 0, sizeof(poly));
- if(hint[OMEGA + i] < pos || hint[OMEGA + i] > OMEGA) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
-
- for(j = pos; j < hint[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > pos && hint[j] <= hint[j-1]) {
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
- return -1;
- }
- h.coeffs[hint[j]] = 1;
- }
- pos = hint[OMEGA + i];
-
- poly_caddq(&w1);
- poly_use_hint(&w1, &w1, &h);
- polyw1_pack(buf.coeffs + i*POLYW1_PACKEDBYTES, &w1);
- }
-
-#ifdef DILITHIUM_USE_AES
- aes256_ctx_release(&aesctx);
-#endif
-
- /* Extra indices are zero for strong unforgeability */
- for(j = pos; j < OMEGA; ++j)
- if(hint[j]) return -1;
-
- /* Call random oracle and verify challenge */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf.coeffs, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(buf.coeffs, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(buf.coeffs[i] != sig[i])
- return -1;
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m, size_t *mlen, const uint8_t *sm, size_t smlen, const uint8_t *pk) {
- size_t i;
-
- if(smlen < CRYPTO_BYTES)
- goto badsig;
-
- *mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
- goto badsig;
- else {
- /* All good, copy msg, return 0 */
- for(i = 0; i < *mlen; ++i)
- m[i] = sm[CRYPTO_BYTES + i];
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = -1;
- for(i = 0; i < smlen; ++i)
- m[i] = 0;
-
- return -1;
-}
+++ /dev/null
-#ifndef SIGN_H
-#define SIGN_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
+++ /dev/null
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-
-#include <stdint.h>
-#include "params.h"
-
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) aes256ctr_init_u64(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) aes256_ctx_release(STATE)
-
-#else
-
-#include "fips202.h"
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-#endif
-
-#endif
+++ /dev/null
-Public Domain (https://creativecommons.org/share-your-work/public-domain/cc0/);
-or Apache 2.0 License (https://www.apache.org/licenses/LICENSE-2.0.html).
-
-For Keccak and the random number generator
-we are using public-domain code from sources
-and by authors listed in comments on top of
-the respective files.
+++ /dev/null
-#ifndef API_H
-#define API_H
-
-#include <stddef.h>
-#include <stdint.h>
-
-#define pqcrystals_dilithium2_PUBLICKEYBYTES 1312
-#define pqcrystals_dilithium2_SECRETKEYBYTES 2528
-#define pqcrystals_dilithium2_BYTES 2420
-
-#define pqcrystals_dilithium2_ref_PUBLICKEYBYTES pqcrystals_dilithium2_PUBLICKEYBYTES
-#define pqcrystals_dilithium2_ref_SECRETKEYBYTES pqcrystals_dilithium2_SECRETKEYBYTES
-#define pqcrystals_dilithium2_ref_BYTES pqcrystals_dilithium2_BYTES
-
-int pqcrystals_dilithium2_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium2aes_ref_PUBLICKEYBYTES pqcrystals_dilithium2_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium2aes_ref_SECRETKEYBYTES pqcrystals_dilithium2_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium2aes_ref_BYTES pqcrystals_dilithium2_ref_BYTES
-
-int pqcrystals_dilithium2aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium2aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium2aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3_PUBLICKEYBYTES 1952
-#define pqcrystals_dilithium3_SECRETKEYBYTES 4000
-#define pqcrystals_dilithium3_BYTES 3293
-
-#define pqcrystals_dilithium3_ref_PUBLICKEYBYTES pqcrystals_dilithium3_PUBLICKEYBYTES
-#define pqcrystals_dilithium3_ref_SECRETKEYBYTES pqcrystals_dilithium3_SECRETKEYBYTES
-#define pqcrystals_dilithium3_ref_BYTES pqcrystals_dilithium3_BYTES
-
-int pqcrystals_dilithium3_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium3aes_ref_PUBLICKEYBYTES pqcrystals_dilithium3_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium3aes_ref_SECRETKEYBYTES pqcrystals_dilithium3_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium3aes_ref_BYTES pqcrystals_dilithium3_ref_BYTES
-
-int pqcrystals_dilithium3aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium3aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium3aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5_PUBLICKEYBYTES 2592
-#define pqcrystals_dilithium5_SECRETKEYBYTES 4864
-#define pqcrystals_dilithium5_BYTES 4595
-
-#define pqcrystals_dilithium5_ref_PUBLICKEYBYTES pqcrystals_dilithium5_PUBLICKEYBYTES
-#define pqcrystals_dilithium5_ref_SECRETKEYBYTES pqcrystals_dilithium5_SECRETKEYBYTES
-#define pqcrystals_dilithium5_ref_BYTES pqcrystals_dilithium5_BYTES
-
-int pqcrystals_dilithium5_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#define pqcrystals_dilithium5aes_ref_PUBLICKEYBYTES pqcrystals_dilithium5_ref_PUBLICKEYBYTES
-#define pqcrystals_dilithium5aes_ref_SECRETKEYBYTES pqcrystals_dilithium5_ref_SECRETKEYBYTES
-#define pqcrystals_dilithium5aes_ref_BYTES pqcrystals_dilithium5_ref_BYTES
-
-int pqcrystals_dilithium5aes_ref_keypair(uint8_t *pk, uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-int pqcrystals_dilithium5aes_ref_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-int pqcrystals_dilithium5aes_ref_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-
-#endif
+++ /dev/null
-#ifndef CONFIG_H
-#define CONFIG_H
-
-//#define DILITHIUM_MODE 2
-//#define DILITHIUM_USE_AES
-//#define DILITHIUM_RANDOMIZED_SIGNING
-//#define USE_RDPMC
-//#define DBENCH
-
-#ifndef DILITHIUM_MODE
-#define DILITHIUM_MODE 2
-#endif
-
-#ifdef DILITHIUM_USE_AES
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2aes_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3aes_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5-AES"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5aes_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5aes_ref_##s
-#endif
-#else
-#if DILITHIUM_MODE == 2
-#define CRYPTO_ALGNAME "Dilithium2"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium2_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium2_ref_##s
-#elif DILITHIUM_MODE == 3
-#define CRYPTO_ALGNAME "Dilithium3"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium3_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium3_ref_##s
-#elif DILITHIUM_MODE == 5
-#define CRYPTO_ALGNAME "Dilithium5"
-#define DILITHIUM_NAMESPACETOP pqcrystals_dilithium5_ref
-#define DILITHIUM_NAMESPACE(s) pqcrystals_dilithium5_ref_##s
-#endif
-#endif
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "ntt.h"
-#include "reduce.h"
-
-static const int32_t zetas[N] = {
- 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468,
- 1826347, 2353451, -359251, -2091905, 3119733, -2884855, 3111497, 2680103,
- 2725464, 1024112, -1079900, 3585928, -549488, -1119584, 2619752, -2108549,
- -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, 280005,
- 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439,
- -3861115, -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299,
- -1699267, -1643818, 3505694, -3821735, 3507263, -2140649, -1600420, 3699596,
- 811944, 531354, 954230, 3881043, 3900724, -2556880, 2071892, -2797779,
- -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, 2176455, -1585221,
- -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922,
- 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047,
- -671102, -1228525, -22981, -1308169, -381987, 1349076, 1852771, -1430430,
- -3343383, 264944, 508951, 3097992, 44288, -1100098, 904516, 3958618,
- -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, -1316856,
- 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330,
- 1285669, -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961,
- 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462,
- 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378,
- 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500,
- -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838,
- 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044,
- 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974,
- -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970,
- -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642,
- -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031,
- -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993,
- -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385,
- -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107,
- -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078,
- -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893,
- -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687,
- -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782
-};
-
-/*************************************************
-* Name: ntt
-*
-* Description: Forward NTT, in-place. No modular reduction is performed after
-* additions or subtractions. Output vector is in bitreversed order.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void ntt(int32_t a[N]) {
- unsigned int len, start, j, k;
- int32_t zeta, t;
-
- k = 0;
- for(len = 128; len > 0; len >>= 1) {
- for(start = 0; start < N; start = j + len) {
- zeta = zetas[++k];
- for(j = start; j < start + len; ++j) {
- t = montgomery_reduce((int64_t)zeta * a[j + len]);
- a[j + len] = a[j] - t;
- a[j] = a[j] + t;
- }
- }
- }
-}
-
-/*************************************************
-* Name: invntt_tomont
-*
-* Description: Inverse NTT and multiplication by Montgomery factor 2^32.
-* In-place. No modular reductions after additions or
-* subtractions; input coefficients need to be smaller than
-* Q in absolute value. Output coefficient are smaller than Q in
-* absolute value.
-*
-* Arguments: - uint32_t p[N]: input/output coefficient array
-**************************************************/
-void invntt_tomont(int32_t a[N]) {
- unsigned int start, len, j, k;
- int32_t t, zeta;
- const int32_t f = 41978; // mont^2/256
-
- k = 256;
- for(len = 1; len < N; len <<= 1) {
- for(start = 0; start < N; start = j + len) {
- zeta = -zetas[--k];
- for(j = start; j < start + len; ++j) {
- t = a[j];
- a[j] = t + a[j + len];
- a[j + len] = t - a[j + len];
- a[j + len] = montgomery_reduce((int64_t)zeta * a[j + len]);
- }
- }
- }
-
- for(j = 0; j < N; ++j) {
- a[j] = montgomery_reduce((int64_t)f * a[j]);
- }
-}
+++ /dev/null
-#ifndef NTT_H
-#define NTT_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define ntt DILITHIUM_NAMESPACE(ntt)
-void ntt(int32_t a[N]);
-
-#define invntt_tomont DILITHIUM_NAMESPACE(invntt_tomont)
-void invntt_tomont(int32_t a[N]);
-
-#endif
+++ /dev/null
-#include "params.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: pack_pk
-*
-* Description: Bit-pack public key pk = (rho, t1).
-*
-* Arguments: - uint8_t pk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const polyveck *t1: pointer to vector t1
-**************************************************/
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const polyveck *t1)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- pk[i] = rho[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_pack(pk + i*POLYT1_PACKEDBYTES, &t1->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_pk
-*
-* Description: Unpack public key pk = (rho, t1).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const polyveck *t1: pointer to output vector t1
-* - uint8_t pk[]: byte array containing bit-packed pk
-**************************************************/
-void unpack_pk(uint8_t rho[SEEDBYTES],
- polyveck *t1,
- const uint8_t pk[CRYPTO_PUBLICKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = pk[i];
- pk += SEEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt1_unpack(&t1->vec[i], pk + i*POLYT1_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sk
-*
-* Description: Bit-pack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - uint8_t sk[]: output byte array
-* - const uint8_t rho[]: byte array containing rho
-* - const uint8_t tr[]: byte array containing tr
-* - const uint8_t key[]: byte array containing key
-* - const polyveck *t0: pointer to vector t0
-* - const polyvecl *s1: pointer to vector s1
-* - const polyveck *s2: pointer to vector s2
-**************************************************/
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2)
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = rho[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = key[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- sk[i] = tr[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s1->vec[i]);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyeta_pack(sk + i*POLYETA_PACKEDBYTES, &s2->vec[i]);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i = 0; i < K; ++i)
- polyt0_pack(sk + i*POLYT0_PACKEDBYTES, &t0->vec[i]);
-}
-
-/*************************************************
-* Name: unpack_sk
-*
-* Description: Unpack secret key sk = (rho, tr, key, t0, s1, s2).
-*
-* Arguments: - const uint8_t rho[]: output byte array for rho
-* - const uint8_t tr[]: output byte array for tr
-* - const uint8_t key[]: output byte array for key
-* - const polyveck *t0: pointer to output vector t0
-* - const polyvecl *s1: pointer to output vector s1
-* - const polyveck *s2: pointer to output vector s2
-* - uint8_t sk[]: byte array containing bit-packed sk
-**************************************************/
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES])
-{
- unsigned int i;
-
- for(i = 0; i < SEEDBYTES; ++i)
- rho[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- key[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i = 0; i < SEEDBYTES; ++i)
- tr[i] = sk[i];
- sk += SEEDBYTES;
-
- for(i=0; i < L; ++i)
- polyeta_unpack(&s1->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += L*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyeta_unpack(&s2->vec[i], sk + i*POLYETA_PACKEDBYTES);
- sk += K*POLYETA_PACKEDBYTES;
-
- for(i=0; i < K; ++i)
- polyt0_unpack(&t0->vec[i], sk + i*POLYT0_PACKEDBYTES);
-}
-
-/*************************************************
-* Name: pack_sig
-*
-* Description: Bit-pack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t sig[]: output byte array
-* - const uint8_t *c: pointer to challenge hash length SEEDBYTES
-* - const polyvecl *z: pointer to vector z
-* - const polyveck *h: pointer to hint vector h
-**************************************************/
-void pack_sig(uint8_t sig[CRYPTO_BYTES],
- const uint8_t c[SEEDBYTES],
- const polyvecl *z,
- const polyveck *h)
-{
- unsigned int i, j, k;
-
- for(i=0; i < SEEDBYTES; ++i)
- sig[i] = c[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_pack(sig + i*POLYZ_PACKEDBYTES, &z->vec[i]);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Encode h */
- for(i = 0; i < OMEGA + K; ++i)
- sig[i] = 0;
-
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- if(h->vec[i].coeffs[j] != 0)
- sig[k++] = j;
-
- sig[OMEGA + i] = k;
- }
-}
-
-/*************************************************
-* Name: unpack_sig
-*
-* Description: Unpack signature sig = (c, z, h).
-*
-* Arguments: - uint8_t *c: pointer to output challenge hash
-* - polyvecl *z: pointer to output vector z
-* - polyveck *h: pointer to output hint vector h
-* - const uint8_t sig[]: byte array containing
-* bit-packed signature
-*
-* Returns 1 in case of malformed signature; otherwise 0.
-**************************************************/
-int unpack_sig(uint8_t c[SEEDBYTES],
- polyvecl *z,
- polyveck *h,
- const uint8_t sig[CRYPTO_BYTES])
-{
- unsigned int i, j, k;
-
- for(i = 0; i < SEEDBYTES; ++i)
- c[i] = sig[i];
- sig += SEEDBYTES;
-
- for(i = 0; i < L; ++i)
- polyz_unpack(&z->vec[i], sig + i*POLYZ_PACKEDBYTES);
- sig += L*POLYZ_PACKEDBYTES;
-
- /* Decode h */
- k = 0;
- for(i = 0; i < K; ++i) {
- for(j = 0; j < N; ++j)
- h->vec[i].coeffs[j] = 0;
-
- if(sig[OMEGA + i] < k || sig[OMEGA + i] > OMEGA)
- return 1;
-
- for(j = k; j < sig[OMEGA + i]; ++j) {
- /* Coefficients are ordered for strong unforgeability */
- if(j > k && sig[j] <= sig[j-1]) return 1;
- h->vec[i].coeffs[sig[j]] = 1;
- }
-
- k = sig[OMEGA + i];
- }
-
- /* Extra indices are zero for strong unforgeability */
- for(j = k; j < OMEGA; ++j)
- if(sig[j])
- return 1;
-
- return 0;
-}
+++ /dev/null
-#ifndef PACKING_H
-#define PACKING_H
-
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-
-#define pack_pk DILITHIUM_NAMESPACE(pack_pk)
-void pack_pk(uint8_t pk[CRYPTO_PUBLICKEYBYTES], const uint8_t rho[SEEDBYTES], const polyveck *t1);
-
-#define pack_sk DILITHIUM_NAMESPACE(pack_sk)
-void pack_sk(uint8_t sk[CRYPTO_SECRETKEYBYTES],
- const uint8_t rho[SEEDBYTES],
- const uint8_t tr[SEEDBYTES],
- const uint8_t key[SEEDBYTES],
- const polyveck *t0,
- const polyvecl *s1,
- const polyveck *s2);
-
-#define pack_sig DILITHIUM_NAMESPACE(pack_sig)
-void pack_sig(uint8_t sig[CRYPTO_BYTES], const uint8_t c[SEEDBYTES], const polyvecl *z, const polyveck *h);
-
-#define unpack_pk DILITHIUM_NAMESPACE(unpack_pk)
-void unpack_pk(uint8_t rho[SEEDBYTES], polyveck *t1, const uint8_t pk[CRYPTO_PUBLICKEYBYTES]);
-
-#define unpack_sk DILITHIUM_NAMESPACE(unpack_sk)
-void unpack_sk(uint8_t rho[SEEDBYTES],
- uint8_t tr[SEEDBYTES],
- uint8_t key[SEEDBYTES],
- polyveck *t0,
- polyvecl *s1,
- polyveck *s2,
- const uint8_t sk[CRYPTO_SECRETKEYBYTES]);
-
-#define unpack_sig DILITHIUM_NAMESPACE(unpack_sig)
-int unpack_sig(uint8_t c[SEEDBYTES], polyvecl *z, polyveck *h, const uint8_t sig[CRYPTO_BYTES]);
-
-#endif
+++ /dev/null
-#ifndef PARAMS_H
-#define PARAMS_H
-
-#include "config.h"
-
-#define SEEDBYTES 32
-#define CRHBYTES 64
-#define N 256
-#define Q 8380417
-#define D 13
-#define ROOT_OF_UNITY 1753
-
-#if DILITHIUM_MODE == 2
-#define K 4
-#define L 4
-#define ETA 2
-#define TAU 39
-#define BETA 78
-#define GAMMA1 (1 << 17)
-#define GAMMA2 ((Q-1)/88)
-#define OMEGA 80
-
-#elif DILITHIUM_MODE == 3
-#define K 6
-#define L 5
-#define ETA 4
-#define TAU 49
-#define BETA 196
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 55
-
-#elif DILITHIUM_MODE == 5
-#define K 8
-#define L 7
-#define ETA 2
-#define TAU 60
-#define BETA 120
-#define GAMMA1 (1 << 19)
-#define GAMMA2 ((Q-1)/32)
-#define OMEGA 75
-
-#endif
-
-#define POLYT1_PACKEDBYTES 320
-#define POLYT0_PACKEDBYTES 416
-#define POLYVECH_PACKEDBYTES (OMEGA + K)
-
-#if GAMMA1 == (1 << 17)
-#define POLYZ_PACKEDBYTES 576
-#elif GAMMA1 == (1 << 19)
-#define POLYZ_PACKEDBYTES 640
-#endif
-
-#if GAMMA2 == (Q-1)/88
-#define POLYW1_PACKEDBYTES 192
-#elif GAMMA2 == (Q-1)/32
-#define POLYW1_PACKEDBYTES 128
-#endif
-
-#if ETA == 2
-#define POLYETA_PACKEDBYTES 96
-#elif ETA == 4
-#define POLYETA_PACKEDBYTES 128
-#endif
-
-#define CRYPTO_PUBLICKEYBYTES (SEEDBYTES + K*POLYT1_PACKEDBYTES)
-#define CRYPTO_SECRETKEYBYTES (3*SEEDBYTES \
- + L*POLYETA_PACKEDBYTES \
- + K*POLYETA_PACKEDBYTES \
- + K*POLYT0_PACKEDBYTES)
-#define CRYPTO_BYTES (SEEDBYTES + L*POLYZ_PACKEDBYTES + POLYVECH_PACKEDBYTES)
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-#include "ntt.h"
-#include "reduce.h"
-#include "rounding.h"
-#include "symmetric.h"
-
-#ifdef DBENCH
-#include "test/cpucycles.h"
-extern const uint64_t timing_overhead;
-extern uint64_t *tred, *tadd, *tmul, *tround, *tsample, *tpack;
-#define DBENCH_START() uint64_t time = cpucycles()
-#define DBENCH_STOP(t) t += cpucycles() - time - timing_overhead
-#else
-#define DBENCH_START()
-#define DBENCH_STOP(t)
-#endif
-
-/*************************************************
-* Name: poly_reduce
-*
-* Description: Inplace reduction of all coefficients of polynomial to
-* representative in [-6283009,6283007].
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_reduce(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] = reduce32(a->coeffs[i]);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_caddq
-*
-* Description: For all coefficients of in/out polynomial add Q if
-* coefficient is negative.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_caddq(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] = caddq(a->coeffs[i]);
-
- DBENCH_STOP(*tred);
-}
-
-/*************************************************
-* Name: poly_add
-*
-* Description: Add polynomials. No modular reduction is performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first summand
-* - const poly *b: pointer to second summand
-**************************************************/
-void poly_add(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = a->coeffs[i] + b->coeffs[i];
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_sub
-*
-* Description: Subtract polynomials. No modular reduction is
-* performed.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial to be
-* subtraced from first input polynomial
-**************************************************/
-void poly_sub(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = a->coeffs[i] - b->coeffs[i];
-
- DBENCH_STOP(*tadd);
-}
-
-/*************************************************
-* Name: poly_shiftl
-*
-* Description: Multiply polynomial by 2^D without modular reduction. Assumes
-* input coefficients to be less than 2^{31-D} in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_shiftl(poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a->coeffs[i] <<= D;
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_ntt
-*
-* Description: Inplace forward NTT. Coefficients can grow by
-* 8*Q in absolute value.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_ntt(poly *a) {
- DBENCH_START();
-
- ntt(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_invntt_tomont
-*
-* Description: Inplace inverse NTT and multiplication by 2^{32}.
-* Input coefficients need to be less than Q in absolute
-* value and output coefficients are again bounded by Q.
-*
-* Arguments: - poly *a: pointer to input/output polynomial
-**************************************************/
-void poly_invntt_tomont(poly *a) {
- DBENCH_START();
-
- invntt_tomont(a->coeffs);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_pointwise_montgomery
-*
-* Description: Pointwise multiplication of polynomials in NTT domain
-* representation and multiplication of resulting polynomial
-* by 2^{-32}.
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const poly *a: pointer to first input polynomial
-* - const poly *b: pointer to second input polynomial
-**************************************************/
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = montgomery_reduce((int64_t)a->coeffs[i] * b->coeffs[i]);
-
- DBENCH_STOP(*tmul);
-}
-
-/*************************************************
-* Name: poly_power2round
-*
-* Description: For all coefficients c of the input polynomial,
-* compute c0, c1 such that c mod Q = c1*2^D + c0
-* with -2^{D-1} < c0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_power2round(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a1->coeffs[i] = power2round(&a0->coeffs[i], a->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_decompose
-*
-* Description: For all coefficients c of the input polynomial,
-* compute high and low bits c0, c1 such c mod Q = c1*ALPHA + c0
-* with -ALPHA/2 < c0 <= ALPHA/2 except c1 = (Q-1)/ALPHA where we
-* set c1 = 0 and -ALPHA/2 <= c0 = c mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - poly *a1: pointer to output polynomial with coefficients c1
-* - poly *a0: pointer to output polynomial with coefficients c0
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void poly_decompose(poly *a1, poly *a0, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- a1->coeffs[i] = decompose(&a0->coeffs[i], a->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_make_hint
-*
-* Description: Compute hint polynomial. The coefficients of which indicate
-* whether the low bits of the corresponding coefficient of
-* the input polynomial overflow into the high bits.
-*
-* Arguments: - poly *h: pointer to output hint polynomial
-* - const poly *a0: pointer to low part of input polynomial
-* - const poly *a1: pointer to high part of input polynomial
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1) {
- unsigned int i, s = 0;
- DBENCH_START();
-
- for(i = 0; i < N; ++i) {
- h->coeffs[i] = make_hint(a0->coeffs[i], a1->coeffs[i]);
- s += h->coeffs[i];
- }
-
- DBENCH_STOP(*tround);
- return s;
-}
-
-/*************************************************
-* Name: poly_use_hint
-*
-* Description: Use hint polynomial to correct the high bits of a polynomial.
-*
-* Arguments: - poly *b: pointer to output polynomial with corrected high bits
-* - const poly *a: pointer to input polynomial
-* - const poly *h: pointer to input hint polynomial
-**************************************************/
-void poly_use_hint(poly *b, const poly *a, const poly *h) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N; ++i)
- b->coeffs[i] = use_hint(a->coeffs[i], h->coeffs[i]);
-
- DBENCH_STOP(*tround);
-}
-
-/*************************************************
-* Name: poly_chknorm
-*
-* Description: Check infinity norm of polynomial against given bound.
-* Assumes input coefficients were reduced by reduce32().
-*
-* Arguments: - const poly *a: pointer to polynomial
-* - int32_t B: norm bound
-*
-* Returns 0 if norm is strictly smaller than B <= (Q-1)/8 and 1 otherwise.
-**************************************************/
-int poly_chknorm(const poly *a, int32_t B) {
- unsigned int i;
- int32_t t;
- DBENCH_START();
-
- if(B > (Q-1)/8)
- return 1;
-
- /* It is ok to leak which coefficient violates the bound since
- the probability for each coefficient is independent of secret
- data but we must not leak the sign of the centralized representative. */
- for(i = 0; i < N; ++i) {
- /* Absolute value */
- t = a->coeffs[i] >> 31;
- t = a->coeffs[i] - (t & 2*a->coeffs[i]);
-
- if(t >= B) {
- DBENCH_STOP(*tsample);
- return 1;
- }
- }
-
- DBENCH_STOP(*tsample);
- return 0;
-}
-
-/*************************************************
-* Name: rej_uniform
-*
-* Description: Sample uniformly random coefficients in [0, Q-1] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_uniform(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos + 3 <= buflen) {
- t = buf[pos++];
- t |= (uint32_t)buf[pos++] << 8;
- t |= (uint32_t)buf[pos++] << 16;
- t &= 0x7FFFFF;
-
- if(t < Q)
- a[ctr++] = t;
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [0,Q-1] by performing rejection sampling on the
-* output stream of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length SEEDBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#define POLY_UNIFORM_NBLOCKS ((768 + STREAM128_BLOCKBYTES - 1)/STREAM128_BLOCKBYTES)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce)
-{
- unsigned int i, ctr, off;
- unsigned int buflen = POLY_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_NBLOCKS*STREAM128_BLOCKBYTES + 2];
- stream128_state state;
-
- stream128_init(&state, seed, nonce);
- stream128_squeezeblocks(buf, POLY_UNIFORM_NBLOCKS, &state);
-
- ctr = rej_uniform(a->coeffs, N, buf, buflen);
-
- while(ctr < N) {
- off = buflen % 3;
- for(i = 0; i < off; ++i)
- buf[i] = buf[buflen - off + i];
-
- stream128_squeezeblocks(buf + off, 1, &state);
- buflen = STREAM128_BLOCKBYTES + off;
- ctr += rej_uniform(a->coeffs + ctr, N - ctr, buf, buflen);
- }
- stream128_release(&state);
-}
-
-/*************************************************
-* Name: rej_eta
-*
-* Description: Sample uniformly random coefficients in [-ETA, ETA] by
-* performing rejection sampling on array of random bytes.
-*
-* Arguments: - int32_t *a: pointer to output array (allocated)
-* - unsigned int len: number of coefficients to be sampled
-* - const uint8_t *buf: array of random bytes
-* - unsigned int buflen: length of array of random bytes
-*
-* Returns number of sampled coefficients. Can be smaller than len if not enough
-* random bytes were given.
-**************************************************/
-static unsigned int rej_eta(int32_t *a,
- unsigned int len,
- const uint8_t *buf,
- unsigned int buflen)
-{
- unsigned int ctr, pos;
- uint32_t t0, t1;
- DBENCH_START();
-
- ctr = pos = 0;
- while(ctr < len && pos < buflen) {
- t0 = buf[pos] & 0x0F;
- t1 = buf[pos++] >> 4;
-
-#if ETA == 2
- if(t0 < 15) {
- t0 = t0 - (205*t0 >> 10)*5;
- a[ctr++] = 2 - t0;
- }
- if(t1 < 15 && ctr < len) {
- t1 = t1 - (205*t1 >> 10)*5;
- a[ctr++] = 2 - t1;
- }
-#elif ETA == 4
- if(t0 < 9)
- a[ctr++] = 4 - t0;
- if(t1 < 9 && ctr < len)
- a[ctr++] = 4 - t1;
-#endif
- }
-
- DBENCH_STOP(*tsample);
- return ctr;
-}
-
-/*************************************************
-* Name: poly_uniform_eta
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-ETA,ETA] by performing rejection sampling on the
-* output stream from SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 2-byte nonce
-**************************************************/
-#if ETA == 2
-#define POLY_UNIFORM_ETA_NBLOCKS ((136 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-#elif ETA == 4
-#define POLY_UNIFORM_ETA_NBLOCKS ((227 + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-#endif
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
-{
- unsigned int ctr;
- unsigned int buflen = POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES;
- uint8_t buf[POLY_UNIFORM_ETA_NBLOCKS*STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_ETA_NBLOCKS, &state);
-
- ctr = rej_eta(a->coeffs, N, buf, buflen);
-
- while(ctr < N) {
- stream256_squeezeblocks(buf, 1, &state);
- ctr += rej_eta(a->coeffs + ctr, N - ctr, buf, STREAM256_BLOCKBYTES);
- }
- stream256_release(&state);
-}
-
-/*************************************************
-* Name: poly_uniform_gamma1m1
-*
-* Description: Sample polynomial with uniformly random coefficients
-* in [-(GAMMA1 - 1), GAMMA1] by unpacking output stream
-* of SHAKE256(seed|nonce) or AES256CTR(seed,nonce).
-*
-* Arguments: - poly *a: pointer to output polynomial
-* - const uint8_t seed[]: byte array with seed of length CRHBYTES
-* - uint16_t nonce: 16-bit nonce
-**************************************************/
-#define POLY_UNIFORM_GAMMA1_NBLOCKS ((POLYZ_PACKEDBYTES + STREAM256_BLOCKBYTES - 1)/STREAM256_BLOCKBYTES)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce)
-{
- uint8_t buf[POLY_UNIFORM_GAMMA1_NBLOCKS*STREAM256_BLOCKBYTES];
- stream256_state state;
-
- stream256_init(&state, seed, nonce);
- stream256_squeezeblocks(buf, POLY_UNIFORM_GAMMA1_NBLOCKS, &state);
- stream256_release(&state);
- polyz_unpack(a, buf);
-}
-
-/*************************************************
-* Name: challenge
-*
-* Description: Implementation of H. Samples polynomial with TAU nonzero
-* coefficients in {-1,1} using the output stream of
-* SHAKE256(seed).
-*
-* Arguments: - poly *c: pointer to output polynomial
-* - const uint8_t mu[]: byte array containing seed of length SEEDBYTES
-**************************************************/
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]) {
- unsigned int i, b, pos;
- uint64_t signs;
- uint8_t buf[SHAKE256_RATE];
- shake256incctx state;
-
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, seed, SEEDBYTES);
- shake256_inc_finalize(&state);
- shake256_squeezeblocks(buf, 1, &state);
-
- signs = 0;
- for(i = 0; i < 8; ++i)
- signs |= (uint64_t)buf[i] << 8*i;
- pos = 8;
-
- for(i = 0; i < N; ++i)
- c->coeffs[i] = 0;
- for(i = N-TAU; i < N; ++i) {
- do {
- if(pos >= SHAKE256_RATE) {
- shake256_squeezeblocks(buf, 1, &state);
- pos = 0;
- }
-
- b = buf[pos++];
- } while(b > i);
-
- c->coeffs[i] = c->coeffs[b];
- c->coeffs[b] = 1 - 2*(signs & 1);
- signs >>= 1;
- }
- shake256_inc_ctx_release(&state);
-}
-
-/*************************************************
-* Name: polyeta_pack
-*
-* Description: Bit-pack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYETA_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyeta_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint8_t t[8];
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- t[0] = ETA - a->coeffs[8*i+0];
- t[1] = ETA - a->coeffs[8*i+1];
- t[2] = ETA - a->coeffs[8*i+2];
- t[3] = ETA - a->coeffs[8*i+3];
- t[4] = ETA - a->coeffs[8*i+4];
- t[5] = ETA - a->coeffs[8*i+5];
- t[6] = ETA - a->coeffs[8*i+6];
- t[7] = ETA - a->coeffs[8*i+7];
-
- r[3*i+0] = (t[0] >> 0) | (t[1] << 3) | (t[2] << 6);
- r[3*i+1] = (t[2] >> 2) | (t[3] << 1) | (t[4] << 4) | (t[5] << 7);
- r[3*i+2] = (t[5] >> 1) | (t[6] << 2) | (t[7] << 5);
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- t[0] = ETA - a->coeffs[2*i+0];
- t[1] = ETA - a->coeffs[2*i+1];
- r[i] = t[0] | (t[1] << 4);
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyeta_unpack
-*
-* Description: Unpack polynomial with coefficients in [-ETA,ETA].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyeta_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-#if ETA == 2
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = (a[3*i+0] >> 0) & 7;
- r->coeffs[8*i+1] = (a[3*i+0] >> 3) & 7;
- r->coeffs[8*i+2] = ((a[3*i+0] >> 6) | (a[3*i+1] << 2)) & 7;
- r->coeffs[8*i+3] = (a[3*i+1] >> 1) & 7;
- r->coeffs[8*i+4] = (a[3*i+1] >> 4) & 7;
- r->coeffs[8*i+5] = ((a[3*i+1] >> 7) | (a[3*i+2] << 1)) & 7;
- r->coeffs[8*i+6] = (a[3*i+2] >> 2) & 7;
- r->coeffs[8*i+7] = (a[3*i+2] >> 5) & 7;
-
- r->coeffs[8*i+0] = ETA - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = ETA - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = ETA - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = ETA - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = ETA - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = ETA - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = ETA - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = ETA - r->coeffs[8*i+7];
- }
-#elif ETA == 4
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[i] & 0x0F;
- r->coeffs[2*i+1] = a[i] >> 4;
- r->coeffs[2*i+0] = ETA - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = ETA - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_pack
-*
-* Description: Bit-pack polynomial t1 with coefficients fitting in 10 bits.
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r[5*i+0] = (a->coeffs[4*i+0] >> 0);
- r[5*i+1] = (a->coeffs[4*i+0] >> 8) | (a->coeffs[4*i+1] << 2);
- r[5*i+2] = (a->coeffs[4*i+1] >> 6) | (a->coeffs[4*i+2] << 4);
- r[5*i+3] = (a->coeffs[4*i+2] >> 4) | (a->coeffs[4*i+3] << 6);
- r[5*i+4] = (a->coeffs[4*i+3] >> 2);
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt1_unpack
-*
-* Description: Unpack polynomial t1 with 10-bit coefficients.
-* Output coefficients are standard representatives.
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt1_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = ((a[5*i+0] >> 0) | ((uint32_t)a[5*i+1] << 8)) & 0x3FF;
- r->coeffs[4*i+1] = ((a[5*i+1] >> 2) | ((uint32_t)a[5*i+2] << 6)) & 0x3FF;
- r->coeffs[4*i+2] = ((a[5*i+2] >> 4) | ((uint32_t)a[5*i+3] << 4)) & 0x3FF;
- r->coeffs[4*i+3] = ((a[5*i+3] >> 6) | ((uint32_t)a[5*i+4] << 2)) & 0x3FF;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_pack
-*
-* Description: Bit-pack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYT0_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyt0_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[8];
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- t[0] = (1 << (D-1)) - a->coeffs[8*i+0];
- t[1] = (1 << (D-1)) - a->coeffs[8*i+1];
- t[2] = (1 << (D-1)) - a->coeffs[8*i+2];
- t[3] = (1 << (D-1)) - a->coeffs[8*i+3];
- t[4] = (1 << (D-1)) - a->coeffs[8*i+4];
- t[5] = (1 << (D-1)) - a->coeffs[8*i+5];
- t[6] = (1 << (D-1)) - a->coeffs[8*i+6];
- t[7] = (1 << (D-1)) - a->coeffs[8*i+7];
-
- r[13*i+ 0] = t[0];
- r[13*i+ 1] = t[0] >> 8;
- r[13*i+ 1] |= t[1] << 5;
- r[13*i+ 2] = t[1] >> 3;
- r[13*i+ 3] = t[1] >> 11;
- r[13*i+ 3] |= t[2] << 2;
- r[13*i+ 4] = t[2] >> 6;
- r[13*i+ 4] |= t[3] << 7;
- r[13*i+ 5] = t[3] >> 1;
- r[13*i+ 6] = t[3] >> 9;
- r[13*i+ 6] |= t[4] << 4;
- r[13*i+ 7] = t[4] >> 4;
- r[13*i+ 8] = t[4] >> 12;
- r[13*i+ 8] |= t[5] << 1;
- r[13*i+ 9] = t[5] >> 7;
- r[13*i+ 9] |= t[6] << 6;
- r[13*i+10] = t[6] >> 2;
- r[13*i+11] = t[6] >> 10;
- r[13*i+11] |= t[7] << 3;
- r[13*i+12] = t[7] >> 5;
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyt0_unpack
-*
-* Description: Unpack polynomial t0 with coefficients in ]-2^{D-1}, 2^{D-1}].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyt0_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
- for(i = 0; i < N/8; ++i) {
- r->coeffs[8*i+0] = a[13*i+0];
- r->coeffs[8*i+0] |= (uint32_t)a[13*i+1] << 8;
- r->coeffs[8*i+0] &= 0x1FFF;
-
- r->coeffs[8*i+1] = a[13*i+1] >> 5;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+2] << 3;
- r->coeffs[8*i+1] |= (uint32_t)a[13*i+3] << 11;
- r->coeffs[8*i+1] &= 0x1FFF;
-
- r->coeffs[8*i+2] = a[13*i+3] >> 2;
- r->coeffs[8*i+2] |= (uint32_t)a[13*i+4] << 6;
- r->coeffs[8*i+2] &= 0x1FFF;
-
- r->coeffs[8*i+3] = a[13*i+4] >> 7;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+5] << 1;
- r->coeffs[8*i+3] |= (uint32_t)a[13*i+6] << 9;
- r->coeffs[8*i+3] &= 0x1FFF;
-
- r->coeffs[8*i+4] = a[13*i+6] >> 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+7] << 4;
- r->coeffs[8*i+4] |= (uint32_t)a[13*i+8] << 12;
- r->coeffs[8*i+4] &= 0x1FFF;
-
- r->coeffs[8*i+5] = a[13*i+8] >> 1;
- r->coeffs[8*i+5] |= (uint32_t)a[13*i+9] << 7;
- r->coeffs[8*i+5] &= 0x1FFF;
-
- r->coeffs[8*i+6] = a[13*i+9] >> 6;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+10] << 2;
- r->coeffs[8*i+6] |= (uint32_t)a[13*i+11] << 10;
- r->coeffs[8*i+6] &= 0x1FFF;
-
- r->coeffs[8*i+7] = a[13*i+11] >> 3;
- r->coeffs[8*i+7] |= (uint32_t)a[13*i+12] << 5;
- r->coeffs[8*i+7] &= 0x1FFF;
-
- r->coeffs[8*i+0] = (1 << (D-1)) - r->coeffs[8*i+0];
- r->coeffs[8*i+1] = (1 << (D-1)) - r->coeffs[8*i+1];
- r->coeffs[8*i+2] = (1 << (D-1)) - r->coeffs[8*i+2];
- r->coeffs[8*i+3] = (1 << (D-1)) - r->coeffs[8*i+3];
- r->coeffs[8*i+4] = (1 << (D-1)) - r->coeffs[8*i+4];
- r->coeffs[8*i+5] = (1 << (D-1)) - r->coeffs[8*i+5];
- r->coeffs[8*i+6] = (1 << (D-1)) - r->coeffs[8*i+6];
- r->coeffs[8*i+7] = (1 << (D-1)) - r->coeffs[8*i+7];
- }
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_pack
-*
-* Description: Bit-pack polynomial with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYZ_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyz_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- uint32_t t[4];
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- t[0] = GAMMA1 - a->coeffs[4*i+0];
- t[1] = GAMMA1 - a->coeffs[4*i+1];
- t[2] = GAMMA1 - a->coeffs[4*i+2];
- t[3] = GAMMA1 - a->coeffs[4*i+3];
-
- r[9*i+0] = t[0];
- r[9*i+1] = t[0] >> 8;
- r[9*i+2] = t[0] >> 16;
- r[9*i+2] |= t[1] << 2;
- r[9*i+3] = t[1] >> 6;
- r[9*i+4] = t[1] >> 14;
- r[9*i+4] |= t[2] << 4;
- r[9*i+5] = t[2] >> 4;
- r[9*i+6] = t[2] >> 12;
- r[9*i+6] |= t[3] << 6;
- r[9*i+7] = t[3] >> 2;
- r[9*i+8] = t[3] >> 10;
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- t[0] = GAMMA1 - a->coeffs[2*i+0];
- t[1] = GAMMA1 - a->coeffs[2*i+1];
-
- r[5*i+0] = t[0];
- r[5*i+1] = t[0] >> 8;
- r[5*i+2] = t[0] >> 16;
- r[5*i+2] |= t[1] << 4;
- r[5*i+3] = t[1] >> 4;
- r[5*i+4] = t[1] >> 12;
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyz_unpack
-*
-* Description: Unpack polynomial z with coefficients
-* in [-(GAMMA1 - 1), GAMMA1].
-*
-* Arguments: - poly *r: pointer to output polynomial
-* - const uint8_t *a: byte array with bit-packed polynomial
-**************************************************/
-void polyz_unpack(poly *r, const uint8_t *a) {
- unsigned int i;
- DBENCH_START();
-
-#if GAMMA1 == (1 << 17)
- for(i = 0; i < N/4; ++i) {
- r->coeffs[4*i+0] = a[9*i+0];
- r->coeffs[4*i+0] |= (uint32_t)a[9*i+1] << 8;
- r->coeffs[4*i+0] |= (uint32_t)a[9*i+2] << 16;
- r->coeffs[4*i+0] &= 0x3FFFF;
-
- r->coeffs[4*i+1] = a[9*i+2] >> 2;
- r->coeffs[4*i+1] |= (uint32_t)a[9*i+3] << 6;
- r->coeffs[4*i+1] |= (uint32_t)a[9*i+4] << 14;
- r->coeffs[4*i+1] &= 0x3FFFF;
-
- r->coeffs[4*i+2] = a[9*i+4] >> 4;
- r->coeffs[4*i+2] |= (uint32_t)a[9*i+5] << 4;
- r->coeffs[4*i+2] |= (uint32_t)a[9*i+6] << 12;
- r->coeffs[4*i+2] &= 0x3FFFF;
-
- r->coeffs[4*i+3] = a[9*i+6] >> 6;
- r->coeffs[4*i+3] |= (uint32_t)a[9*i+7] << 2;
- r->coeffs[4*i+3] |= (uint32_t)a[9*i+8] << 10;
- r->coeffs[4*i+3] &= 0x3FFFF;
-
- r->coeffs[4*i+0] = GAMMA1 - r->coeffs[4*i+0];
- r->coeffs[4*i+1] = GAMMA1 - r->coeffs[4*i+1];
- r->coeffs[4*i+2] = GAMMA1 - r->coeffs[4*i+2];
- r->coeffs[4*i+3] = GAMMA1 - r->coeffs[4*i+3];
- }
-#elif GAMMA1 == (1 << 19)
- for(i = 0; i < N/2; ++i) {
- r->coeffs[2*i+0] = a[5*i+0];
- r->coeffs[2*i+0] |= (uint32_t)a[5*i+1] << 8;
- r->coeffs[2*i+0] |= (uint32_t)a[5*i+2] << 16;
- r->coeffs[2*i+0] &= 0xFFFFF;
-
- r->coeffs[2*i+1] = a[5*i+2] >> 4;
- r->coeffs[2*i+1] |= (uint32_t)a[5*i+3] << 4;
- r->coeffs[2*i+1] |= (uint32_t)a[5*i+4] << 12;
- r->coeffs[2*i+0] &= 0xFFFFF;
-
- r->coeffs[2*i+0] = GAMMA1 - r->coeffs[2*i+0];
- r->coeffs[2*i+1] = GAMMA1 - r->coeffs[2*i+1];
- }
-#endif
-
- DBENCH_STOP(*tpack);
-}
-
-/*************************************************
-* Name: polyw1_pack
-*
-* Description: Bit-pack polynomial w1 with coefficients in [0,15] or [0,43].
-* Input coefficients are assumed to be standard representatives.
-*
-* Arguments: - uint8_t *r: pointer to output byte array with at least
-* POLYW1_PACKEDBYTES bytes
-* - const poly *a: pointer to input polynomial
-**************************************************/
-void polyw1_pack(uint8_t *r, const poly *a) {
- unsigned int i;
- DBENCH_START();
-
-#if GAMMA2 == (Q-1)/88
- for(i = 0; i < N/4; ++i) {
- r[3*i+0] = a->coeffs[4*i+0];
- r[3*i+0] |= a->coeffs[4*i+1] << 6;
- r[3*i+1] = a->coeffs[4*i+1] >> 2;
- r[3*i+1] |= a->coeffs[4*i+2] << 4;
- r[3*i+2] = a->coeffs[4*i+2] >> 4;
- r[3*i+2] |= a->coeffs[4*i+3] << 2;
- }
-#elif GAMMA2 == (Q-1)/32
- for(i = 0; i < N/2; ++i)
- r[i] = a->coeffs[2*i+0] | (a->coeffs[2*i+1] << 4);
-#endif
-
- DBENCH_STOP(*tpack);
-}
+++ /dev/null
-#ifndef POLY_H
-#define POLY_H
-
-#include <stdint.h>
-#include "params.h"
-
-typedef struct {
- int32_t coeffs[N];
-} poly;
-
-#define poly_reduce DILITHIUM_NAMESPACE(poly_reduce)
-void poly_reduce(poly *a);
-#define poly_caddq DILITHIUM_NAMESPACE(poly_caddq)
-void poly_caddq(poly *a);
-
-#define poly_add DILITHIUM_NAMESPACE(poly_add)
-void poly_add(poly *c, const poly *a, const poly *b);
-#define poly_sub DILITHIUM_NAMESPACE(poly_sub)
-void poly_sub(poly *c, const poly *a, const poly *b);
-#define poly_shiftl DILITHIUM_NAMESPACE(poly_shiftl)
-void poly_shiftl(poly *a);
-
-#define poly_ntt DILITHIUM_NAMESPACE(poly_ntt)
-void poly_ntt(poly *a);
-#define poly_invntt_tomont DILITHIUM_NAMESPACE(poly_invntt_tomont)
-void poly_invntt_tomont(poly *a);
-#define poly_pointwise_montgomery DILITHIUM_NAMESPACE(poly_pointwise_montgomery)
-void poly_pointwise_montgomery(poly *c, const poly *a, const poly *b);
-
-#define poly_power2round DILITHIUM_NAMESPACE(poly_power2round)
-void poly_power2round(poly *a1, poly *a0, const poly *a);
-#define poly_decompose DILITHIUM_NAMESPACE(poly_decompose)
-void poly_decompose(poly *a1, poly *a0, const poly *a);
-#define poly_make_hint DILITHIUM_NAMESPACE(poly_make_hint)
-unsigned int poly_make_hint(poly *h, const poly *a0, const poly *a1);
-#define poly_use_hint DILITHIUM_NAMESPACE(poly_use_hint)
-void poly_use_hint(poly *b, const poly *a, const poly *h);
-
-#define poly_chknorm DILITHIUM_NAMESPACE(poly_chknorm)
-int poly_chknorm(const poly *a, int32_t B);
-#define poly_uniform DILITHIUM_NAMESPACE(poly_uniform)
-void poly_uniform(poly *a,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-#define poly_uniform_eta DILITHIUM_NAMESPACE(poly_uniform_eta)
-void poly_uniform_eta(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_uniform_gamma1 DILITHIUM_NAMESPACE(poly_uniform_gamma1)
-void poly_uniform_gamma1(poly *a,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-#define poly_challenge DILITHIUM_NAMESPACE(poly_challenge)
-void poly_challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define polyeta_pack DILITHIUM_NAMESPACE(polyeta_pack)
-void polyeta_pack(uint8_t *r, const poly *a);
-#define polyeta_unpack DILITHIUM_NAMESPACE(polyeta_unpack)
-void polyeta_unpack(poly *r, const uint8_t *a);
-
-#define polyt1_pack DILITHIUM_NAMESPACE(polyt1_pack)
-void polyt1_pack(uint8_t *r, const poly *a);
-#define polyt1_unpack DILITHIUM_NAMESPACE(polyt1_unpack)
-void polyt1_unpack(poly *r, const uint8_t *a);
-
-#define polyt0_pack DILITHIUM_NAMESPACE(polyt0_pack)
-void polyt0_pack(uint8_t *r, const poly *a);
-#define polyt0_unpack DILITHIUM_NAMESPACE(polyt0_unpack)
-void polyt0_unpack(poly *r, const uint8_t *a);
-
-#define polyz_pack DILITHIUM_NAMESPACE(polyz_pack)
-void polyz_pack(uint8_t *r, const poly *a);
-#define polyz_unpack DILITHIUM_NAMESPACE(polyz_unpack)
-void polyz_unpack(poly *r, const uint8_t *a);
-
-#define polyw1_pack DILITHIUM_NAMESPACE(polyw1_pack)
-void polyw1_pack(uint8_t *r, const poly *a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-/*************************************************
-* Name: expand_mat
-*
-* Description: Implementation of ExpandA. Generates matrix A with uniformly
-* random coefficients a_{i,j} by performing rejection
-* sampling on the output stream of SHAKE128(rho|j|i)
-* or AES256CTR(rho,j|i).
-*
-* Arguments: - polyvecl mat[K]: output matrix
-* - const uint8_t rho[]: byte array containing seed rho
-**************************************************/
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]) {
- unsigned int i, j;
-
- for(i = 0; i < K; ++i)
- for(j = 0; j < L; ++j)
- poly_uniform(&mat[i].vec[j], rho, (i << 8) + j);
-}
-
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyvecl_pointwise_acc_montgomery(&t->vec[i], &mat[i], v);
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length L **************/
-/**************************************************************/
-
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_uniform_gamma1(&v->vec[i], seed, L*nonce + i);
-}
-
-void polyvecl_reduce(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_add
-*
-* Description: Add vectors of polynomials of length L.
-* No modular reduction is performed.
-*
-* Arguments: - polyvecl *w: pointer to output vector
-* - const polyvecl *u: pointer to first summand
-* - const polyvecl *v: pointer to second summand
-**************************************************/
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length L. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyvecl *v: pointer to input/output vector
-**************************************************/
-void polyvecl_ntt(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-void polyvecl_invntt_tomont(polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyvecl_pointwise_acc_montgomery
-*
-* Description: Pointwise multiply vectors of polynomials of length L, multiply
-* resulting vector by 2^{-32} and add (accumulate) polynomials
-* in it. Input/output vectors are in NTT domain representation.
-*
-* Arguments: - poly *w: output polynomial
-* - const polyvecl *u: pointer to first input vector
-* - const polyvecl *v: pointer to second input vector
-**************************************************/
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v)
-{
- unsigned int i;
- poly t;
-
- poly_pointwise_montgomery(w, &u->vec[0], &v->vec[0]);
- for(i = 1; i < L; ++i) {
- poly_pointwise_montgomery(&t, &u->vec[i], &v->vec[i]);
- poly_add(w, w, &t);
- }
-}
-
-/*************************************************
-* Name: polyvecl_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length L.
-* Assumes input polyvecl to be reduced by polyvecl_reduce().
-*
-* Arguments: - const polyvecl *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials is strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyvecl_chknorm(const polyvecl *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < L; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/**************************************************************/
-/************ Vectors of polynomials of length K **************/
-/**************************************************************/
-
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_uniform_eta(&v->vec[i], seed, nonce++);
-}
-
-/*************************************************
-* Name: polyveck_reduce
-*
-* Description: Reduce coefficients of polynomials in vector of length K
-* to representatives in [-6283009,6283007].
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_reduce(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_reduce(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_caddq
-*
-* Description: For all coefficients of polynomials in vector of length K
-* add Q if coefficient is negative.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_caddq(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_caddq(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_add
-*
-* Description: Add vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first summand
-* - const polyveck *v: pointer to second summand
-**************************************************/
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_add(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_sub
-*
-* Description: Subtract vectors of polynomials of length K.
-* No modular reduction is performed.
-*
-* Arguments: - polyveck *w: pointer to output vector
-* - const polyveck *u: pointer to first input vector
-* - const polyveck *v: pointer to second input vector to be
-* subtracted from first input vector
-**************************************************/
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_sub(&w->vec[i], &u->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_shiftl
-*
-* Description: Multiply vector of polynomials of Length K by 2^D without modular
-* reduction. Assumes input coefficients to be less than 2^{31-D}.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_shiftl(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_shiftl(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_ntt
-*
-* Description: Forward NTT of all polynomials in vector of length K. Output
-* coefficients can be up to 16*Q larger than input coefficients.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_ntt(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_ntt(&v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_invntt_tomont
-*
-* Description: Inverse NTT and multiplication by 2^{32} of polynomials
-* in vector of length K. Input coefficients need to be less
-* than 2*Q.
-*
-* Arguments: - polyveck *v: pointer to input/output vector
-**************************************************/
-void polyveck_invntt_tomont(polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_invntt_tomont(&v->vec[i]);
-}
-
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_pointwise_montgomery(&r->vec[i], a, &v->vec[i]);
-}
-
-
-/*************************************************
-* Name: polyveck_chknorm
-*
-* Description: Check infinity norm of polynomials in vector of length K.
-* Assumes input polyveck to be reduced by polyveck_reduce().
-*
-* Arguments: - const polyveck *v: pointer to vector
-* - int32_t B: norm bound
-*
-* Returns 0 if norm of all polynomials are strictly smaller than B <= (Q-1)/8
-* and 1 otherwise.
-**************************************************/
-int polyveck_chknorm(const polyveck *v, int32_t bound) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- if(poly_chknorm(&v->vec[i], bound))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: polyveck_power2round
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute a0, a1 such that a mod^+ Q = a1*2^D + a0
-* with -2^{D-1} < a0 <= 2^{D-1}. Assumes coefficients to be
-* standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_power2round(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_decompose
-*
-* Description: For all coefficients a of polynomials in vector of length K,
-* compute high and low bits a0, a1 such a mod^+ Q = a1*ALPHA + a0
-* with -ALPHA/2 < a0 <= ALPHA/2 except a1 = (Q-1)/ALPHA where we
-* set a1 = 0 and -ALPHA/2 <= a0 = a mod Q - Q < 0.
-* Assumes coefficients to be standard representatives.
-*
-* Arguments: - polyveck *v1: pointer to output vector of polynomials with
-* coefficients a1
-* - polyveck *v0: pointer to output vector of polynomials with
-* coefficients a0
-* - const polyveck *v: pointer to input vector
-**************************************************/
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_decompose(&v1->vec[i], &v0->vec[i], &v->vec[i]);
-}
-
-/*************************************************
-* Name: polyveck_make_hint
-*
-* Description: Compute hint vector.
-*
-* Arguments: - polyveck *h: pointer to output vector
-* - const polyveck *v0: pointer to low part of input vector
-* - const polyveck *v1: pointer to high part of input vector
-*
-* Returns number of 1 bits.
-**************************************************/
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1)
-{
- unsigned int i, s = 0;
-
- for(i = 0; i < K; ++i)
- s += poly_make_hint(&h->vec[i], &v0->vec[i], &v1->vec[i]);
-
- return s;
-}
-
-/*************************************************
-* Name: polyveck_use_hint
-*
-* Description: Use hint vector to correct the high bits of input vector.
-*
-* Arguments: - polyveck *w: pointer to output vector of polynomials with
-* corrected high bits
-* - const polyveck *u: pointer to input vector
-* - const polyveck *h: pointer to input hint vector
-**************************************************/
-void polyveck_use_hint(polyveck *w, const polyveck *u, const polyveck *h) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- poly_use_hint(&w->vec[i], &u->vec[i], &h->vec[i]);
-}
-
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1) {
- unsigned int i;
-
- for(i = 0; i < K; ++i)
- polyw1_pack(&r[i*POLYW1_PACKEDBYTES], &w1->vec[i]);
-}
+++ /dev/null
-#ifndef POLYVEC_H
-#define POLYVEC_H
-
-#include <stdint.h>
-#include "params.h"
-#include "poly.h"
-
-/* Vectors of polynomials of length L */
-typedef struct {
- poly vec[L];
-} polyvecl;
-
-#define polyvecl_uniform_eta DILITHIUM_NAMESPACE(polyvecl_uniform_eta)
-void polyvecl_uniform_eta(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_uniform_gamma1 DILITHIUM_NAMESPACE(polyvecl_uniform_gamma1)
-void polyvecl_uniform_gamma1(polyvecl *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyvecl_reduce DILITHIUM_NAMESPACE(polyvecl_reduce)
-void polyvecl_reduce(polyvecl *v);
-
-#define polyvecl_add DILITHIUM_NAMESPACE(polyvecl_add)
-void polyvecl_add(polyvecl *w, const polyvecl *u, const polyvecl *v);
-
-#define polyvecl_ntt DILITHIUM_NAMESPACE(polyvecl_ntt)
-void polyvecl_ntt(polyvecl *v);
-#define polyvecl_invntt_tomont DILITHIUM_NAMESPACE(polyvecl_invntt_tomont)
-void polyvecl_invntt_tomont(polyvecl *v);
-#define polyvecl_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyvecl_pointwise_poly_montgomery)
-void polyvecl_pointwise_poly_montgomery(polyvecl *r, const poly *a, const polyvecl *v);
-#define polyvecl_pointwise_acc_montgomery \
- DILITHIUM_NAMESPACE(polyvecl_pointwise_acc_montgomery)
-void polyvecl_pointwise_acc_montgomery(poly *w,
- const polyvecl *u,
- const polyvecl *v);
-
-
-#define polyvecl_chknorm DILITHIUM_NAMESPACE(polyvecl_chknorm)
-int polyvecl_chknorm(const polyvecl *v, int32_t B);
-
-
-
-/* Vectors of polynomials of length K */
-typedef struct {
- poly vec[K];
-} polyveck;
-
-#define polyveck_uniform_eta DILITHIUM_NAMESPACE(polyveck_uniform_eta)
-void polyveck_uniform_eta(polyveck *v, const uint8_t seed[CRHBYTES], uint16_t nonce);
-
-#define polyveck_reduce DILITHIUM_NAMESPACE(polyveck_reduce)
-void polyveck_reduce(polyveck *v);
-#define polyveck_caddq DILITHIUM_NAMESPACE(polyveck_caddq)
-void polyveck_caddq(polyveck *v);
-
-#define polyveck_add DILITHIUM_NAMESPACE(polyveck_add)
-void polyveck_add(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_sub DILITHIUM_NAMESPACE(polyveck_sub)
-void polyveck_sub(polyveck *w, const polyveck *u, const polyveck *v);
-#define polyveck_shiftl DILITHIUM_NAMESPACE(polyveck_shiftl)
-void polyveck_shiftl(polyveck *v);
-
-#define polyveck_ntt DILITHIUM_NAMESPACE(polyveck_ntt)
-void polyveck_ntt(polyveck *v);
-#define polyveck_invntt_tomont DILITHIUM_NAMESPACE(polyveck_invntt_tomont)
-void polyveck_invntt_tomont(polyveck *v);
-#define polyveck_pointwise_poly_montgomery DILITHIUM_NAMESPACE(polyveck_pointwise_poly_montgomery)
-void polyveck_pointwise_poly_montgomery(polyveck *r, const poly *a, const polyveck *v);
-
-#define polyveck_chknorm DILITHIUM_NAMESPACE(polyveck_chknorm)
-int polyveck_chknorm(const polyveck *v, int32_t B);
-
-#define polyveck_power2round DILITHIUM_NAMESPACE(polyveck_power2round)
-void polyveck_power2round(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_decompose DILITHIUM_NAMESPACE(polyveck_decompose)
-void polyveck_decompose(polyveck *v1, polyveck *v0, const polyveck *v);
-#define polyveck_make_hint DILITHIUM_NAMESPACE(polyveck_make_hint)
-unsigned int polyveck_make_hint(polyveck *h,
- const polyveck *v0,
- const polyveck *v1);
-#define polyveck_use_hint DILITHIUM_NAMESPACE(polyveck_use_hint)
-void polyveck_use_hint(polyveck *w, const polyveck *v, const polyveck *h);
-
-#define polyveck_pack_w1 DILITHIUM_NAMESPACE(polyveck_pack_w1)
-void polyveck_pack_w1(uint8_t r[K*POLYW1_PACKEDBYTES], const polyveck *w1);
-
-#define polyvec_matrix_expand DILITHIUM_NAMESPACE(polyvec_matrix_expand)
-void polyvec_matrix_expand(polyvecl mat[K], const uint8_t rho[SEEDBYTES]);
-
-#define polyvec_matrix_pointwise_montgomery DILITHIUM_NAMESPACE(polyvec_matrix_pointwise_montgomery)
-void polyvec_matrix_pointwise_montgomery(polyveck *t, const polyvecl mat[K], const polyvecl *v);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "reduce.h"
-
-/*************************************************
-* Name: montgomery_reduce
-*
-* Description: For finite field element a with -2^{31}Q <= a <= Q*2^31,
-* compute r \equiv a*2^{-32} (mod Q) such that -Q < r < Q.
-*
-* Arguments: - int64_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t montgomery_reduce(int64_t a) {
- int32_t t;
-
- t = (int64_t)(int32_t)a*QINV;
- t = (a - (int64_t)t*Q) >> 32;
- return t;
-}
-
-/*************************************************
-* Name: reduce32
-*
-* Description: For finite field element a with a <= 2^{31} - 2^{22} - 1,
-* compute r \equiv a (mod Q) such that -6283009 <= r <= 6283007.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t reduce32(int32_t a) {
- int32_t t;
-
- t = (a + (1 << 22)) >> 23;
- t = a - t*Q;
- return t;
-}
-
-/*************************************************
-* Name: caddq
-*
-* Description: Add Q if input coefficient is negative.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t caddq(int32_t a) {
- a += (a >> 31) & Q;
- return a;
-}
-
-/*************************************************
-* Name: freeze
-*
-* Description: For finite field element a, compute standard
-* representative r = a mod^+ Q.
-*
-* Arguments: - int32_t: finite field element a
-*
-* Returns r.
-**************************************************/
-int32_t freeze(int32_t a) {
- a = reduce32(a);
- a = caddq(a);
- return a;
-}
+++ /dev/null
-#ifndef REDUCE_H
-#define REDUCE_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define MONT -4186625 // 2^32 % Q
-#define QINV 58728449 // q^(-1) mod 2^32
-
-#define montgomery_reduce DILITHIUM_NAMESPACE(montgomery_reduce)
-int32_t montgomery_reduce(int64_t a);
-
-#define reduce32 DILITHIUM_NAMESPACE(reduce32)
-int32_t reduce32(int32_t a);
-
-#define caddq DILITHIUM_NAMESPACE(caddq)
-int32_t caddq(int32_t a);
-
-#define freeze DILITHIUM_NAMESPACE(freeze)
-int32_t freeze(int32_t a);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "rounding.h"
-
-/*************************************************
-* Name: power2round
-*
-* Description: For finite field element a, compute a0, a1 such that
-* a mod^+ Q = a1*2^D + a0 with -2^{D-1} < a0 <= 2^{D-1}.
-* Assumes a to be standard representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t power2round(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + (1 << (D-1)) - 1) >> D;
- *a0 = a - (a1 << D);
- return a1;
-}
-
-/*************************************************
-* Name: decompose
-*
-* Description: For finite field element a, compute high and low bits a0, a1 such
-* that a mod^+ Q = a1*ALPHA + a0 with -ALPHA/2 < a0 <= ALPHA/2 except
-* if a1 = (Q-1)/ALPHA where we set a1 = 0 and
-* -ALPHA/2 <= a0 = a mod^+ Q - Q < 0. Assumes a to be standard
-* representative.
-*
-* Arguments: - int32_t a: input element
-* - int32_t *a0: pointer to output element a0
-*
-* Returns a1.
-**************************************************/
-int32_t decompose(int32_t *a0, int32_t a) {
- int32_t a1;
-
- a1 = (a + 127) >> 7;
-#if GAMMA2 == (Q-1)/32
- a1 = (a1*1025 + (1 << 21)) >> 22;
- a1 &= 15;
-#elif GAMMA2 == (Q-1)/88
- a1 = (a1*11275 + (1 << 23)) >> 24;
- a1 ^= ((43 - a1) >> 31) & a1;
-#endif
-
- *a0 = a - a1*2*GAMMA2;
- *a0 -= (((Q-1)/2 - *a0) >> 31) & Q;
- return a1;
-}
-
-/*************************************************
-* Name: make_hint
-*
-* Description: Compute hint bit indicating whether the low bits of the
-* input element overflow into the high bits.
-*
-* Arguments: - int32_t a0: low bits of input element
-* - int32_t a1: high bits of input element
-*
-* Returns 1 if overflow.
-**************************************************/
-unsigned int make_hint(int32_t a0, int32_t a1) {
- if(a0 > GAMMA2 || a0 < -GAMMA2 || (a0 == -GAMMA2 && a1 != 0))
- return 1;
-
- return 0;
-}
-
-/*************************************************
-* Name: use_hint
-*
-* Description: Correct high bits according to hint.
-*
-* Arguments: - int32_t a: input element
-* - unsigned int hint: hint bit
-*
-* Returns corrected high bits.
-**************************************************/
-int32_t use_hint(int32_t a, unsigned int hint) {
- int32_t a0, a1;
-
- a1 = decompose(&a0, a);
- if(hint == 0)
- return a1;
-
-#if GAMMA2 == (Q-1)/32
- if(a0 > 0)
- return (a1 + 1) & 15;
- else
- return (a1 - 1) & 15;
-#elif GAMMA2 == (Q-1)/88
- if(a0 > 0)
- return (a1 == 43) ? 0 : a1 + 1;
- else
- return (a1 == 0) ? 43 : a1 - 1;
-#endif
-}
+++ /dev/null
-#ifndef ROUNDING_H
-#define ROUNDING_H
-
-#include <stdint.h>
-#include "params.h"
-
-#define power2round DILITHIUM_NAMESPACE(power2round)
-int32_t power2round(int32_t *a0, int32_t a);
-
-#define decompose DILITHIUM_NAMESPACE(decompose)
-int32_t decompose(int32_t *a0, int32_t a);
-
-#define make_hint DILITHIUM_NAMESPACE(make_hint)
-unsigned int make_hint(int32_t a0, int32_t a1);
-
-#define use_hint DILITHIUM_NAMESPACE(use_hint)
-int32_t use_hint(int32_t a, unsigned int hint);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "sign.h"
-#include "packing.h"
-#include "polyvec.h"
-#include "poly.h"
-#include "randombytes.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-/*************************************************
-* Name: crypto_sign_keypair
-*
-* Description: Generates public and private key.
-*
-* Arguments: - uint8_t *pk: pointer to output public key (allocated
-* array of CRYPTO_PUBLICKEYBYTES bytes)
-* - uint8_t *sk: pointer to output private key (allocated
-* array of CRYPTO_SECRETKEYBYTES bytes)
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk) {
- uint8_t seedbuf[2*SEEDBYTES + CRHBYTES];
- uint8_t tr[SEEDBYTES];
- const uint8_t *rho, *rhoprime, *key;
- polyvecl mat[K];
- polyvecl s1, s1hat;
- polyveck s2, t1, t0;
-
- /* Get randomness for rho, rhoprime and key */
- randombytes(seedbuf, SEEDBYTES);
- shake256(seedbuf, 2*SEEDBYTES + CRHBYTES, seedbuf, SEEDBYTES);
- rho = seedbuf;
- rhoprime = rho + SEEDBYTES;
- key = rhoprime + CRHBYTES;
-
- /* Expand matrix */
- polyvec_matrix_expand(mat, rho);
-
- /* Sample short vectors s1 and s2 */
- polyvecl_uniform_eta(&s1, rhoprime, 0);
- polyveck_uniform_eta(&s2, rhoprime, L);
-
- /* Matrix-vector multiplication */
- s1hat = s1;
- polyvecl_ntt(&s1hat);
- polyvec_matrix_pointwise_montgomery(&t1, mat, &s1hat);
- polyveck_reduce(&t1);
- polyveck_invntt_tomont(&t1);
-
- /* Add error vector s2 */
- polyveck_add(&t1, &t1, &s2);
-
- /* Extract t1 and write public key */
- polyveck_caddq(&t1);
- polyveck_power2round(&t1, &t0, &t1);
- pack_pk(pk, rho, &t1);
-
- /* Compute H(rho, t1) and write secret key */
- shake256(tr, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- pack_sk(sk, rho, tr, key, &t0, &s1, &s2);
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_signature
-*
-* Description: Computes signature.
-*
-* Arguments: - uint8_t *sig: pointer to output signature (of length CRYPTO_BYTES)
-* - size_t *siglen: pointer to output length of signature
-* - uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign_signature(uint8_t *sig,
- size_t *siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
-{
- unsigned int n;
- uint8_t seedbuf[3*SEEDBYTES + 2*CRHBYTES];
- uint8_t *rho, *tr, *key, *mu, *rhoprime;
- uint16_t nonce = 0;
- polyvecl mat[K], s1, y, z;
- polyveck t0, s2, w1, w0, h;
- poly cp;
- shake256incctx state;
-
- rho = seedbuf;
- tr = rho + SEEDBYTES;
- key = tr + SEEDBYTES;
- mu = key + SEEDBYTES;
- rhoprime = mu + CRHBYTES;
- unpack_sk(rho, tr, key, &t0, &s1, &s2, sk);
-
- /* Compute CRH(tr, msg) */
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, tr, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
-#ifdef DILITHIUM_RANDOMIZED_SIGNING
- randombytes(rhoprime, CRHBYTES);
-#else
- shake256(rhoprime, CRHBYTES, key, SEEDBYTES + CRHBYTES);
-#endif
-
- /* Expand matrix and transform vectors */
- polyvec_matrix_expand(mat, rho);
- polyvecl_ntt(&s1);
- polyveck_ntt(&s2);
- polyveck_ntt(&t0);
-
-rej:
- /* Sample intermediate vector y */
- polyvecl_uniform_gamma1(&y, rhoprime, nonce++);
-
- /* Matrix-vector multiplication */
- z = y;
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Decompose w and call the random oracle */
- polyveck_caddq(&w1);
- polyveck_decompose(&w1, &w0, &w1);
- polyveck_pack_w1(sig, &w1);
-
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, sig, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(sig, SEEDBYTES, &state);
- poly_challenge(&cp, sig);
- poly_ntt(&cp);
-
- /* Compute z, reject if it reveals secret */
- polyvecl_pointwise_poly_montgomery(&z, &cp, &s1);
- polyvecl_invntt_tomont(&z);
- polyvecl_add(&z, &z, &y);
- polyvecl_reduce(&z);
- if(polyvecl_chknorm(&z, GAMMA1 - BETA))
- goto rej;
-
- /* Check that subtracting cs2 does not change high bits of w and low bits
- * do not reveal secret information */
- polyveck_pointwise_poly_montgomery(&h, &cp, &s2);
- polyveck_invntt_tomont(&h);
- polyveck_sub(&w0, &w0, &h);
- polyveck_reduce(&w0);
- if(polyveck_chknorm(&w0, GAMMA2 - BETA))
- goto rej;
-
- /* Compute hints for w1 */
- polyveck_pointwise_poly_montgomery(&h, &cp, &t0);
- polyveck_invntt_tomont(&h);
- polyveck_reduce(&h);
- if(polyveck_chknorm(&h, GAMMA2))
- goto rej;
-
- polyveck_add(&w0, &w0, &h);
- n = polyveck_make_hint(&h, &w0, &w1);
- if(n > OMEGA)
- goto rej;
-
- shake256_inc_ctx_release(&state);
-
- /* Write signature */
- pack_sig(sig, sig, &z, &h);
- *siglen = CRYPTO_BYTES;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign
-*
-* Description: Compute signed message.
-*
-* Arguments: - uint8_t *sm: pointer to output signed message (allocated
-* array with CRYPTO_BYTES + mlen bytes),
-* can be equal to m
-* - size_t *smlen: pointer to output length of signed
-* message
-* - const uint8_t *m: pointer to message to be signed
-* - size_t mlen: length of message
-* - const uint8_t *sk: pointer to bit-packed secret key
-*
-* Returns 0 (success)
-**************************************************/
-int crypto_sign(uint8_t *sm,
- size_t *smlen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *sk)
-{
- size_t i;
-
- for(i = 0; i < mlen; ++i)
- sm[CRYPTO_BYTES + mlen - 1 - i] = m[mlen - 1 - i];
- crypto_sign_signature(sm, smlen, sm + CRYPTO_BYTES, mlen, sk);
- *smlen += mlen;
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_verify
-*
-* Description: Verifies signature.
-*
-* Arguments: - uint8_t *m: pointer to input signature
-* - size_t siglen: length of signature
-* - const uint8_t *m: pointer to message
-* - size_t mlen: length of message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signature could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_verify(const uint8_t *sig,
- size_t siglen,
- const uint8_t *m,
- size_t mlen,
- const uint8_t *pk)
-{
- unsigned int i;
- uint8_t buf[K*POLYW1_PACKEDBYTES];
- uint8_t rho[SEEDBYTES];
- uint8_t mu[CRHBYTES];
- uint8_t c[SEEDBYTES];
- uint8_t c2[SEEDBYTES];
- poly cp;
- polyvecl mat[K], z;
- polyveck t1, w1, h;
- shake256incctx state;
-
- if(siglen != CRYPTO_BYTES)
- return -1;
-
- unpack_pk(rho, &t1, pk);
- if(unpack_sig(c, &z, &h, sig))
- return -1;
- if(polyvecl_chknorm(&z, GAMMA1 - BETA))
- return -1;
-
- /* Compute CRH(H(rho, t1), msg) */
- shake256(mu, SEEDBYTES, pk, CRYPTO_PUBLICKEYBYTES);
- shake256_inc_init(&state);
- shake256_inc_absorb(&state, mu, SEEDBYTES);
- shake256_inc_absorb(&state, m, mlen);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(mu, CRHBYTES, &state);
-
- /* Matrix-vector multiplication; compute Az - c2^dt1 */
- poly_challenge(&cp, c);
- polyvec_matrix_expand(mat, rho);
-
- polyvecl_ntt(&z);
- polyvec_matrix_pointwise_montgomery(&w1, mat, &z);
-
- poly_ntt(&cp);
- polyveck_shiftl(&t1);
- polyveck_ntt(&t1);
- polyveck_pointwise_poly_montgomery(&t1, &cp, &t1);
-
- polyveck_sub(&w1, &w1, &t1);
- polyveck_reduce(&w1);
- polyveck_invntt_tomont(&w1);
-
- /* Reconstruct w1 */
- polyveck_caddq(&w1);
- polyveck_use_hint(&w1, &w1, &h);
- polyveck_pack_w1(buf, &w1);
-
- /* Call random oracle and verify challenge */
- shake256_inc_ctx_reset(&state);
- shake256_inc_absorb(&state, mu, CRHBYTES);
- shake256_inc_absorb(&state, buf, K*POLYW1_PACKEDBYTES);
- shake256_inc_finalize(&state);
- shake256_inc_squeeze(c2, SEEDBYTES, &state);
- shake256_inc_ctx_release(&state);
- for(i = 0; i < SEEDBYTES; ++i)
- if(c[i] != c2[i])
- return -1;
-
- return 0;
-}
-
-/*************************************************
-* Name: crypto_sign_open
-*
-* Description: Verify signed message.
-*
-* Arguments: - uint8_t *m: pointer to output message (allocated
-* array with smlen bytes), can be equal to sm
-* - size_t *mlen: pointer to output length of message
-* - const uint8_t *sm: pointer to signed message
-* - size_t smlen: length of signed message
-* - const uint8_t *pk: pointer to bit-packed public key
-*
-* Returns 0 if signed message could be verified correctly and -1 otherwise
-**************************************************/
-int crypto_sign_open(uint8_t *m,
- size_t *mlen,
- const uint8_t *sm,
- size_t smlen,
- const uint8_t *pk)
-{
- size_t i;
-
- if(smlen < CRYPTO_BYTES)
- goto badsig;
-
- *mlen = smlen - CRYPTO_BYTES;
- if(crypto_sign_verify(sm, CRYPTO_BYTES, sm + CRYPTO_BYTES, *mlen, pk))
- goto badsig;
- else {
- /* All good, copy msg, return 0 */
- for(i = 0; i < *mlen; ++i)
- m[i] = sm[CRYPTO_BYTES + i];
- return 0;
- }
-
-badsig:
- /* Signature verification failed */
- *mlen = -1;
- for(i = 0; i < smlen; ++i)
- m[i] = 0;
-
- return -1;
-}
+++ /dev/null
-#ifndef SIGN_H
-#define SIGN_H
-
-#include <stddef.h>
-#include <stdint.h>
-#include "params.h"
-#include "polyvec.h"
-#include "poly.h"
-
-#define challenge DILITHIUM_NAMESPACE(challenge)
-void challenge(poly *c, const uint8_t seed[SEEDBYTES]);
-
-#define crypto_sign_keypair DILITHIUM_NAMESPACE(keypair)
-int crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-
-#define crypto_sign_signature DILITHIUM_NAMESPACE(signature)
-int crypto_sign_signature(uint8_t *sig, size_t *siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign DILITHIUM_NAMESPACETOP
-int crypto_sign(uint8_t *sm, size_t *smlen,
- const uint8_t *m, size_t mlen,
- const uint8_t *sk);
-
-#define crypto_sign_verify DILITHIUM_NAMESPACE(verify)
-int crypto_sign_verify(const uint8_t *sig, size_t siglen,
- const uint8_t *m, size_t mlen,
- const uint8_t *pk);
-
-#define crypto_sign_open DILITHIUM_NAMESPACE(open)
-int crypto_sign_open(uint8_t *m, size_t *mlen,
- const uint8_t *sm, size_t smlen,
- const uint8_t *pk);
-
-#endif
+++ /dev/null
-#include <stdint.h>
-#include "params.h"
-#include "symmetric.h"
-#include "fips202.h"
-
-void dilithium_shake128_stream_init(shake128incctx *state, const uint8_t seed[SEEDBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake128_inc_init(state);
- shake128_inc_absorb(state, seed, SEEDBYTES);
- shake128_inc_absorb(state, t, 2);
- shake128_inc_finalize(state);
-}
-
-void dilithium_shake256_stream_init(shake256incctx *state, const uint8_t seed[CRHBYTES], uint16_t nonce)
-{
- uint8_t t[2];
- t[0] = nonce;
- t[1] = nonce >> 8;
-
- shake256_inc_init(state);
- shake256_inc_absorb(state, seed, CRHBYTES);
- shake256_inc_absorb(state, t, 2);
- shake256_inc_finalize(state);
-}
+++ /dev/null
-#ifndef SYMMETRIC_H
-#define SYMMETRIC_H
-
-#include <stdint.h>
-#include "params.h"
-
-#ifdef DILITHIUM_USE_AES
-
-#include "aes256ctr.h"
-#include "fips202.h"
-
-typedef aes256ctr_ctx stream128_state;
-typedef aes256ctr_ctx stream256_state;
-
-#define dilithium_aes256ctr_init DILITHIUM_NAMESPACE(dilithium_aes256ctr_init)
-void dilithium_aes256ctr_init(aes256ctr_ctx *state,
- const uint8_t key[32],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES AES256CTR_BLOCKBYTES
-#define STREAM256_BLOCKBYTES AES256CTR_BLOCKBYTES
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) \
- aes256_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_aes256ctr_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- aes256ctr_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) \
- aes256_ctx_release(STATE)
-
-#else
-
-#include "fips202.h"
-
-typedef shake128incctx stream128_state;
-typedef shake256incctx stream256_state;
-
-#define dilithium_shake128_stream_init DILITHIUM_NAMESPACE(dilithium_shake128_stream_init)
-void dilithium_shake128_stream_init(shake128incctx *state,
- const uint8_t seed[SEEDBYTES],
- uint16_t nonce);
-
-#define dilithium_shake256_stream_init DILITHIUM_NAMESPACE(dilithium_shake256_stream_init)
-void dilithium_shake256_stream_init(shake256incctx *state,
- const uint8_t seed[CRHBYTES],
- uint16_t nonce);
-
-#define STREAM128_BLOCKBYTES SHAKE128_RATE
-#define STREAM256_BLOCKBYTES SHAKE256_RATE
-
-#define stream128_init(STATE, SEED, NONCE) \
- dilithium_shake128_stream_init(STATE, SEED, NONCE)
-#define stream128_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake128_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream128_release(STATE) shake128_inc_ctx_release(STATE)
-#define stream256_init(STATE, SEED, NONCE) \
- dilithium_shake256_stream_init(STATE, SEED, NONCE)
-#define stream256_squeezeblocks(OUT, OUTBLOCKS, STATE) \
- shake256_squeezeblocks(OUT, OUTBLOCKS, STATE)
-#define stream256_release(STATE) shake256_inc_ctx_release(STATE)
-
-#endif
-
-#endif
+++ /dev/null
-// SPDX-License-Identifier: MIT
-
-#ifndef OQS_SIG_DILITHIUM_H
-#define OQS_SIG_DILITHIUM_H
-
-#include <oqs/oqs.h>
-
-#if defined(OQS_ENABLE_SIG_dilithium_2)
-#define OQS_SIG_dilithium_2_length_public_key 1312
-#define OQS_SIG_dilithium_2_length_secret_key 2528
-#define OQS_SIG_dilithium_2_length_signature 2420
-
-OQS_SIG *OQS_SIG_dilithium_2_new(void);
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_keypair(uint8_t *public_key, uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *public_key);
-#endif
-
-#if defined(OQS_ENABLE_SIG_dilithium_3)
-#define OQS_SIG_dilithium_3_length_public_key 1952
-#define OQS_SIG_dilithium_3_length_secret_key 4000
-#define OQS_SIG_dilithium_3_length_signature 3293
-
-OQS_SIG *OQS_SIG_dilithium_3_new(void);
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_keypair(uint8_t *public_key, uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *public_key);
-#endif
-
-#if defined(OQS_ENABLE_SIG_dilithium_5)
-#define OQS_SIG_dilithium_5_length_public_key 2592
-#define OQS_SIG_dilithium_5_length_secret_key 4864
-#define OQS_SIG_dilithium_5_length_signature 4595
-
-OQS_SIG *OQS_SIG_dilithium_5_new(void);
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_keypair(uint8_t *public_key, uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *secret_key);
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx, size_t ctxlen, const uint8_t *public_key);
-#endif
-
-#endif
+++ /dev/null
-// SPDX-License-Identifier: MIT
-
-#include <stdlib.h>
-
-#include <oqs/sig_dilithium.h>
-
-#if defined(OQS_ENABLE_SIG_dilithium_2)
-OQS_SIG *OQS_SIG_dilithium_2_new(void) {
-
- OQS_SIG *sig = OQS_MEM_malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_dilithium_2;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409";
-
- sig->claimed_nist_level = 2;
- sig->euf_cma = true;
- sig->suf_cma = true;
- sig->sig_with_ctx_support = false;
-
- sig->length_public_key = OQS_SIG_dilithium_2_length_public_key;
- sig->length_secret_key = OQS_SIG_dilithium_2_length_secret_key;
- sig->length_signature = OQS_SIG_dilithium_2_length_signature;
-
- sig->keypair = OQS_SIG_dilithium_2_keypair;
- sig->sign = OQS_SIG_dilithium_2_sign;
- sig->verify = OQS_SIG_dilithium_2_verify;
- sig->sign_with_ctx_str = OQS_SIG_dilithium_2_sign_with_ctx_str;
- sig->verify_with_ctx_str = OQS_SIG_dilithium_2_verify_with_ctx_str;
-
- return sig;
-}
-
-extern int pqcrystals_dilithium2_ref_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_dilithium2_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_dilithium2_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-#if defined(OQS_ENABLE_SIG_dilithium_2_avx2)
-extern int pqcrystals_dilithium2_avx2_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_dilithium2_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_dilithium2_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-#if defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-extern int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_keypair(uint8_t *public_key, uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_2_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium2_avx2_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium2_ref_keypair(public_key, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_2_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium2_avx2_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium2_ref_signature(signature, signature_len, message, message_len, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_2_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium2_avx2_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_2_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM2_AARCH64_crypto_sign_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium2_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium2_ref_verify(signature, signature_len, message, message_len, public_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *secret_key) {
- if (ctx_str == NULL && ctx_str_len == 0) {
- return OQS_SIG_dilithium_2_sign(signature, signature_len, message, message_len, secret_key);
- } else {
- return OQS_ERROR;
- }
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_2_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *public_key) {
- if (ctx_str == NULL && ctx_str_len == 0) {
- return OQS_SIG_dilithium_2_verify(message, message_len, signature, signature_len, public_key);
- } else {
- return OQS_ERROR;
- }
-}
-#endif
+++ /dev/null
-// SPDX-License-Identifier: MIT
-
-#include <stdlib.h>
-
-#include <oqs/sig_dilithium.h>
-
-#if defined(OQS_ENABLE_SIG_dilithium_3)
-OQS_SIG *OQS_SIG_dilithium_3_new(void) {
-
- OQS_SIG *sig = OQS_MEM_malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_dilithium_3;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409";
-
- sig->claimed_nist_level = 3;
- sig->euf_cma = true;
- sig->suf_cma = true;
- sig->sig_with_ctx_support = false;
-
- sig->length_public_key = OQS_SIG_dilithium_3_length_public_key;
- sig->length_secret_key = OQS_SIG_dilithium_3_length_secret_key;
- sig->length_signature = OQS_SIG_dilithium_3_length_signature;
-
- sig->keypair = OQS_SIG_dilithium_3_keypair;
- sig->sign = OQS_SIG_dilithium_3_sign;
- sig->verify = OQS_SIG_dilithium_3_verify;
- sig->sign_with_ctx_str = OQS_SIG_dilithium_3_sign_with_ctx_str;
- sig->verify_with_ctx_str = OQS_SIG_dilithium_3_verify_with_ctx_str;
-
- return sig;
-}
-
-extern int pqcrystals_dilithium3_ref_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_dilithium3_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_dilithium3_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-#if defined(OQS_ENABLE_SIG_dilithium_3_avx2)
-extern int pqcrystals_dilithium3_avx2_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_dilithium3_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_dilithium3_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-#if defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-extern int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_keypair(uint8_t *public_key, uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_3_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium3_avx2_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium3_ref_keypair(public_key, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_3_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium3_avx2_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium3_ref_signature(signature, signature_len, message, message_len, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_3_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium3_avx2_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_3_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM3_AARCH64_crypto_sign_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium3_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium3_ref_verify(signature, signature_len, message, message_len, public_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *secret_key) {
- if (ctx_str == NULL && ctx_str_len == 0) {
- return OQS_SIG_dilithium_3_sign(signature, signature_len, message, message_len, secret_key);
- } else {
- return OQS_ERROR;
- }
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_3_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *public_key) {
- if (ctx_str == NULL && ctx_str_len == 0) {
- return OQS_SIG_dilithium_3_verify(message, message_len, signature, signature_len, public_key);
- } else {
- return OQS_ERROR;
- }
-}
-#endif
+++ /dev/null
-// SPDX-License-Identifier: MIT
-
-#include <stdlib.h>
-
-#include <oqs/sig_dilithium.h>
-
-#if defined(OQS_ENABLE_SIG_dilithium_5)
-OQS_SIG *OQS_SIG_dilithium_5_new(void) {
-
- OQS_SIG *sig = OQS_MEM_malloc(sizeof(OQS_SIG));
- if (sig == NULL) {
- return NULL;
- }
- sig->method_name = OQS_SIG_alg_dilithium_5;
- sig->alg_version = "https://github.com/pq-crystals/dilithium/commit/d9c885d3f2e11c05529eeeb7d70d808c972b8409";
-
- sig->claimed_nist_level = 5;
- sig->euf_cma = true;
- sig->suf_cma = true;
- sig->sig_with_ctx_support = false;
-
- sig->length_public_key = OQS_SIG_dilithium_5_length_public_key;
- sig->length_secret_key = OQS_SIG_dilithium_5_length_secret_key;
- sig->length_signature = OQS_SIG_dilithium_5_length_signature;
-
- sig->keypair = OQS_SIG_dilithium_5_keypair;
- sig->sign = OQS_SIG_dilithium_5_sign;
- sig->verify = OQS_SIG_dilithium_5_verify;
- sig->sign_with_ctx_str = OQS_SIG_dilithium_5_sign_with_ctx_str;
- sig->verify_with_ctx_str = OQS_SIG_dilithium_5_verify_with_ctx_str;
-
- return sig;
-}
-
-extern int pqcrystals_dilithium5_ref_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_dilithium5_ref_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_dilithium5_ref_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-
-#if defined(OQS_ENABLE_SIG_dilithium_5_avx2)
-extern int pqcrystals_dilithium5_avx2_keypair(uint8_t *pk, uint8_t *sk);
-extern int pqcrystals_dilithium5_avx2_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int pqcrystals_dilithium5_avx2_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-#if defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-extern int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_keypair(uint8_t *pk, uint8_t *sk);
-extern int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_signature(uint8_t *sig, size_t *siglen, const uint8_t *m, size_t mlen, const uint8_t *sk);
-extern int PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_verify(const uint8_t *sig, size_t siglen, const uint8_t *m, size_t mlen, const uint8_t *pk);
-#endif
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_keypair(uint8_t *public_key, uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_5_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium5_avx2_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_keypair(public_key, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_keypair(public_key, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium5_ref_keypair(public_key, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_sign(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *secret_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_5_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium5_avx2_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_signature(signature, signature_len, message, message_len, secret_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_signature(signature, signature_len, message, message_len, secret_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium5_ref_signature(signature, signature_len, message, message_len, secret_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_verify(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *public_key) {
-#if defined(OQS_ENABLE_SIG_dilithium_5_avx2)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_AVX2) && OQS_CPU_has_extension(OQS_CPU_EXT_POPCNT)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) pqcrystals_dilithium5_avx2_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#elif defined(OQS_ENABLE_SIG_dilithium_5_aarch64)
-#if defined(OQS_DIST_BUILD)
- if (OQS_CPU_has_extension(OQS_CPU_EXT_ARM_NEON)) {
-#endif /* OQS_DIST_BUILD */
- return (OQS_STATUS) PQCLEAN_DILITHIUM5_AARCH64_crypto_sign_verify(signature, signature_len, message, message_len, public_key);
-#if defined(OQS_DIST_BUILD)
- } else {
- return (OQS_STATUS) pqcrystals_dilithium5_ref_verify(signature, signature_len, message, message_len, public_key);
- }
-#endif /* OQS_DIST_BUILD */
-#else
- return (OQS_STATUS) pqcrystals_dilithium5_ref_verify(signature, signature_len, message, message_len, public_key);
-#endif
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_sign_with_ctx_str(uint8_t *signature, size_t *signature_len, const uint8_t *message, size_t message_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *secret_key) {
- if (ctx_str == NULL && ctx_str_len == 0) {
- return OQS_SIG_dilithium_5_sign(signature, signature_len, message, message_len, secret_key);
- } else {
- return OQS_ERROR;
- }
-}
-
-OQS_API OQS_STATUS OQS_SIG_dilithium_5_verify_with_ctx_str(const uint8_t *message, size_t message_len, const uint8_t *signature, size_t signature_len, const uint8_t *ctx_str, size_t ctx_str_len, const uint8_t *public_key) {
- if (ctx_str == NULL && ctx_str_len == 0) {
- return OQS_SIG_dilithium_5_verify(message, message_len, signature, signature_len, public_key);
- } else {
- return OQS_ERROR;
- }
-}
-#endif
// EDIT-WHEN-ADDING-SIG
const char *a[OQS_SIG_algs_length] = {
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALG_IDENTIFIER_START
- OQS_SIG_alg_dilithium_2,
- OQS_SIG_alg_dilithium_3,
- OQS_SIG_alg_dilithium_5,
OQS_SIG_alg_ml_dsa_44,
OQS_SIG_alg_ml_dsa_65,
OQS_SIG_alg_ml_dsa_87,
}
if (0) {
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ENABLED_CASE_START
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_dilithium_2)) {
-#ifdef OQS_ENABLE_SIG_dilithium_2
- return 1;
-#else
- return 0;
-#endif
-
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_dilithium_3)) {
-#ifdef OQS_ENABLE_SIG_dilithium_3
- return 1;
-#else
- return 0;
-#endif
-
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_dilithium_5)) {
-#ifdef OQS_ENABLE_SIG_dilithium_5
- return 1;
-#else
- return 0;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_44)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_44
return 1;
}
if (0) {
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_NEW_CASE_START
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_dilithium_2)) {
-#ifdef OQS_ENABLE_SIG_dilithium_2
- return OQS_SIG_dilithium_2_new();
-#else
- return NULL;
-#endif
-
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_dilithium_3)) {
-#ifdef OQS_ENABLE_SIG_dilithium_3
- return OQS_SIG_dilithium_3_new();
-#else
- return NULL;
-#endif
-
- } else if (0 == strcasecmp(method_name, OQS_SIG_alg_dilithium_5)) {
-#ifdef OQS_ENABLE_SIG_dilithium_5
- return OQS_SIG_dilithium_5_new();
-#else
- return NULL;
-#endif
-
} else if (0 == strcasecmp(method_name, OQS_SIG_alg_ml_dsa_44)) {
#ifdef OQS_ENABLE_SIG_ml_dsa_44
return OQS_SIG_ml_dsa_44_new();
#endif
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALG_IDENTIFIER_START
-/** Algorithm identifier for Dilithium2 */
-#define OQS_SIG_alg_dilithium_2 "Dilithium2"
-/** Algorithm identifier for Dilithium3 */
-#define OQS_SIG_alg_dilithium_3 "Dilithium3"
-/** Algorithm identifier for Dilithium5 */
-#define OQS_SIG_alg_dilithium_5 "Dilithium5"
/** Algorithm identifier for ML-DSA-44 */
#define OQS_SIG_alg_ml_dsa_44 "ML-DSA-44"
/** Algorithm identifier for ML-DSA-65 */
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALGS_LENGTH_START
/** Number of algorithm identifiers above. */
-#define OQS_SIG_algs_length 68 + OQS_SIG_SLH_DSA_algs_length
+#define OQS_SIG_algs_length 65 + OQS_SIG_SLH_DSA_algs_length
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_ALGS_LENGTH_END
/**
OQS_API bool OQS_SIG_supports_ctx_str(const char *alg_name);
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_INCLUDE_START
-#ifdef OQS_ENABLE_SIG_DILITHIUM
-#include <oqs/sig_dilithium.h>
-#endif /* OQS_ENABLE_SIG_DILITHIUM */
#ifdef OQS_ENABLE_SIG_ML_DSA
#include <oqs/sig_ml_dsa.h>
#endif /* OQS_ENABLE_SIG_ML_DSA */
{
- "Dilithium2": {
- "all": "38337ea2e165cc1161de2da5af515a187d20d65f1aaffde844121c3c21b27c07",
- "single": "26ae9c1224171e957dbe38672942d31edb7dffbe700825e0cb52128cdb45280a"
- },
- "Dilithium3": {
- "all": "020a69d51c3ee0332e119780451b4cdfaf5ddbd627db37e7f78c641e98e223a9",
- "single": "eea584803c3d6991a4acbf9f117147bbdd246faf822cfb1a17effe20b2052ba9"
- },
- "Dilithium5": {
- "all": "a76f63375cb3897b4fb01190976367f7cde73808f0166533a94be7c7942705ab",
- "single": "3f6e58603a38be57cf08d79b01fcfd0ccc1129a09e14a6122c6fe22c906ddc3b"
- },
"Falcon-1024": {
"all": "46f9682ebf6fd31bae60c3191ed1a6c56aa09fb4945a266f86732a90c6c4db67",
"single": "e699d88eb214fef30597385f40814baeb84ac505d5f05f5c257b0726fc4530b8"
"cross-rsdpg-256-balanced": [],
"cross-rsdpg-256-fast": [],
"cross-rsdpg-256-small": [],
- "Dilithium2": [],
- "Dilithium3": [],
- "Dilithium5": [],
"Falcon-1024": ["falcon"],
"Falcon-512": ["falcon"],
"Falcon-padded-1024": ["falcon"],
"cross-rsdpg-256-balanced": ["cross"],
"cross-rsdpg-256-fast": ["cross"],
"cross-rsdpg-256-small": ["cross"],
- "Dilithium2": ["dilithium", "dilithium-avx2", "dilithium-aarch64"],
- "Dilithium3": ["dilithium", "dilithium-avx2", "dilithium-aarch64"],
- "Dilithium5": ["dilithium", "dilithium-avx2", "dilithium-aarch64"],
"Falcon-1024": ["falcon_keygen", "falcon_sign"],
"Falcon-512": ["falcon_keygen", "falcon_sign"],
"Falcon-padded-1024": ["falcon_keygen", "falcon_sign"],
+++ /dev/null
-{
- Rejection sampling for uniformly distributed public A matrix
- Memcheck:Cond
- fun:rej_uniform
- fun:pqcrystals_dilithium*_ref_poly_uniform
- fun:pqcrystals_dilithium*_ref_polyvec_matrix_expand
-}
-{
- Rejection sampling for s1 and s2
- Memcheck:Cond
- fun:rej_eta
- fun:pqcrystals_dilithium*_ref_poly_uniform_eta
- fun:pqcrystals_dilithium*_ref_polyvec*_uniform_eta
- fun:pqcrystals_dilithium*_ref_keypair
-}
-{
- Rejection sampling for y
- Memcheck:Cond
- fun:rej_gamma1m1
- fun:pqcrystals_dilithium*_ref_poly_uniform_gamma1m1
- fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Rejection sampling for challenge
- Memcheck:Cond
- fun:pqcrystals_dilithium*_ref_poly_challenge
- fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Rejection sampling for challenge
- Memcheck:Value8
- fun:pqcrystals_dilithium*_ref_poly_challenge
- fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:150 # Call to polyvecl_chknorm
- # fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:159 # Call to polyveck_chknorm
- # fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:166 # Call to polyveck_chknorm
- # fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Hint does not need to be computed in constant time
- Memcheck:Cond
- ...
- src:sign.c:170 # Call to polyveck_make_hint
- # fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Rejection sampling for hint
- Memcheck:Cond
- ...
- src:sign.c:171 # Checking number of 1 bits in hint
- # fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Packing routines do not need to be constant time
- Memcheck:Cond
- fun:pqcrystals_dilithium*_ref_pack_sig
- fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Verification is not done in constant time
- Memcheck:Cond
- fun:pqcrystals_dilithium*_ref_verify
-}
+++ /dev/null
-{
- Rejection sampling for uniformly distributed public A matrix
- Memcheck:Cond
- fun:rej_uniform
- fun:PQCLEAN_DILITHIUM*_AARCH64_poly_uniformx2
- fun:PQCLEAN_DILITHIUM*_AARCH64_polyvec_matrix_expand
-}
-{
- Rejection sampling for s1 and s2
- Memcheck:Cond
- fun:rej_eta
- fun:PQCLEAN_DILITHIUM*_AARCH64_poly_uniform_eta
- fun:PQCLEAN_DILITHIUM*_AARCH64_polyvec*_uniform_eta
- fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_keypair
-}
-{
- Rejection sampling for challenge
- Memcheck:Cond
- fun:PQCLEAN_DILITHIUM*_AARCH64_poly_challenge
- fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature
-}
-{
- Rejection sampling for challenge
- Memcheck:Value8
- fun:PQCLEAN_DILITHIUM*_AARCH64_poly_challenge
- fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:185 # Call to polyvecl_chknorm
- # fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:195 # Call to polyveck_chknorm
- # fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:203 # Call to polyveck_chknorm
- # fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature
-}
-{
- Hint does not need to be computed in constant time
- Memcheck:Cond
- ...
- src:sign.c:208 # Call to polyveck_make_hint
- # fun:PQCLEAN_DILITHIUM*_AARCH64_crypto_sign_signature
-}
+++ /dev/null
-{
- Rejection sampling for uniformly distributed public A matrix
- Memcheck:Cond
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_4x
- fun:pqcrystals_dilithium*_avx2_polyvec_matrix_expand_row*
-}
-{
- Rejection sampling for uniformly distributed public A matrix
- Memcheck:Value8
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_4x
- fun:pqcrystals_dilithium*_avx2_polyvec_matrix_expand_row*
-}
-
-
-{
- Rejection sampling for s1 and s2
- Memcheck:Cond
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_eta_4x
- fun:pqcrystals_dilithium*_avx2_keypair
-}
-{
- Rejection sampling for s1 and s2
- Memcheck:Value8
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_eta_4x
- fun:pqcrystals_dilithium*_avx2_keypair
-}
-
-{
- Rejection sampling for y
- Memcheck:Cond
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_gamma1m1_4x
- fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Rejection sampling for y
- Memcheck:Value8
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_gamma1m1_4x
- fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Rejection sampling for s1 and s2
- Memcheck:Cond
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_eta_preinit
- fun:pqcrystals_dilithium*_avx2_poly_uniform_eta
- fun:pqcrystals_dilithium*_avx2_keypair
-}
-{
- Rejection sampling for s1 and s2
- Memcheck:Value8
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_eta_preinit
- fun:pqcrystals_dilithium*_avx2_poly_uniform_eta
- fun:pqcrystals_dilithium*_avx2_keypair
-}
-{
- Rejection sampling for y
- Memcheck:Cond
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_gamma1m1_preinit
- fun:pqcrystals_dilithium*_avx2_poly_uniform_gamma1m1
- fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Rejection sampling for y
- Memcheck:Value8
- ...
- fun:pqcrystals_dilithium*_avx2_poly_uniform_gamma1m1_preinit
- fun:pqcrystals_dilithium*_avx2_poly_uniform_gamma1m1
- fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Rejection sampling for challenge
- Memcheck:Cond
- fun:pqcrystals_dilithium*_avx2_poly_challenge
-}
-{
- Rejection sampling for challenge
- Memcheck:Value8
- fun:pqcrystals_dilithium*_avx2_poly_challenge
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:290 # Call to poly_chknorm
- # fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:305 # Call to poly_chknorm
- # fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Rejection sampling for signature distribution
- Memcheck:Cond
- ...
- src:sign.c:312 # Call to poly_chknorm
- # fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Hint does not need to be computed in constant time
- Memcheck:Cond
- ...
- fun:pqcrystals_dilithium*_avx2_poly_make_hint
- src:sign.c:316 # fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Hint does not need to be computed in constant time
- Memcheck:Value8
- ...
- fun:pqcrystals_dilithium*_avx2_poly_make_hint
- src:sign.c:316 # fun:pqcrystals_dilithium*_ref_signature
-}
-{
- Rejection sampling for hint
- Memcheck:Cond
- ...
- src:sign.c:317 # Checking number of 1 bits in hint
- # fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Hint positions are not secret
- Memcheck:Cond
- ...
- src:sign.c:321 # memcpy
- # fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Hint positions are not secret
- Memcheck:Value8
- ...
- src:sign.c:321 # memcpy
- # fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Packing routines do not need to be constant time
- Memcheck:Cond
- fun:pqcrystals_dilithium*_avx2_pack_sig
- fun:pqcrystals_dilithium*_avx2_signature
-}
-{
- Verification is not done in constant time
- Memcheck:Cond
- fun:pqcrystals_dilithium*_avx2_verify
-}
-
OQS_STATUS combine_message_signature(uint8_t **signed_msg, size_t *signed_msg_len, const uint8_t *msg, size_t msg_len, const uint8_t *signature, size_t signature_len, const OQS_SIG *sig) {
if (0) {
///// OQS_COPY_FROM_UPSTREAM_FRAGMENT_COMBINE_MESSAGE_SIGNATURE_START
- } else if (0 == strcmp(sig->method_name, "Dilithium2")) {
- // signed_msg = signature || msg
- *signed_msg_len = signature_len + msg_len;
- *signed_msg = OQS_MEM_malloc(*signed_msg_len);
- if (*signed_msg == NULL) {
- return OQS_ERROR;
- }
- memcpy(*signed_msg, signature, signature_len);
- memcpy(*signed_msg + signature_len, msg, msg_len);
- return OQS_SUCCESS;
- } else if (0 == strcmp(sig->method_name, "Dilithium3")) {
- // signed_msg = signature || msg
- *signed_msg_len = signature_len + msg_len;
- *signed_msg = OQS_MEM_malloc(*signed_msg_len);
- if (*signed_msg == NULL) {
- return OQS_ERROR;
- }
- memcpy(*signed_msg, signature, signature_len);
- memcpy(*signed_msg + signature_len, msg, msg_len);
- return OQS_SUCCESS;
- } else if (0 == strcmp(sig->method_name, "Dilithium5")) {
- // signed_msg = signature || msg
- *signed_msg_len = signature_len + msg_len;
- *signed_msg = OQS_MEM_malloc(*signed_msg_len);
- if (*signed_msg == NULL) {
- return OQS_ERROR;
- }
- memcpy(*signed_msg, signature, signature_len);
- memcpy(*signed_msg + signature_len, msg, msg_len);
- return OQS_SUCCESS;
} else if (0 == strcmp(sig->method_name, "ML-DSA-44")) {
// signed_msg = signature || msg
*signed_msg_len = signature_len + msg_len;
set(OQS_ENABLE_KEM_ML_KEM OFF)
endif()
- if(CONFIG_LIBOQS_ENABLE_SIG_DILITHIUM)
- set(OQS_ENABLE_SIG_DILITHIUM ON)
- else()
- set(OQS_ENABLE_SIG_DILITHIUM OFF)
- endif()
-
if(CONFIG_LIBOQS_ENABLE_SIG_ML_DSA)
set(OQS_ENABLE_SIG_ML_DSA ON)
else()
default y
depends on LIBOQS
-config LIBOQS_ENABLE_SIG_DILITHIUM
- bool "Enable the DILITHIUM signature algorithm (NIST Round 3)"
- default n
- depends on LIBOQS
-
config LIBOQS_ENABLE_SIG_ML_DSA
bool "Enable the ML-DSA signature algorithm (ML-DSA)"
default y
CONFIG_LIBOQS=y
# Enable all Signature algorithms that are disabled by default
-CONFIG_LIBOQS_ENABLE_SIG_DILITHIUM=y
+CONFIG_LIBOQS_ENABLE_SIG_ML_DSA=y
CONFIG_PICOLIBC=y
CONFIG_TEST_RANDOM_GENERATOR=y
projects / 0xmirror / liboqs.git / commitdiff